oftware  Dos  and  Don’ts  page  is 


e  Business 
f  Security 


Practical  leadership 
lessons  from  the 
2010  Compass 
Award  winners 

PAGE ll 


www.csoonline.com  $9.00  April  2010 


. 


method  to  gain  entry  to  doors.  Mirroring  the  same  user  experience,  HID  is  now 


revolutionizing  logical  access.  HID  on  the  Desktop  delivers  user-friendly  convenience 
and  improved  risk  management  for  access  to  Windows®  and  IT  networks  by  using  the 
same  card  that  opens  your  doors  today. 

.  v  In  ‘  *  A* 


Contact  HID  Global  for  a  90-day  trial:  hidglobal.com/90daytrial/CSO 


I  need... 


seamless  access  solutions 
that  are  convenient  and 


April  2010  V0I.9,  No.  3 


Feature... 

22  The  Art 
and  Science 
of  Leadership 

Cover  story  The  2010 
Compass  Award  winners 
provide  critical  lessons  in 
integrating  security  with 
the  business  mission. 
ByBillBrandel 


Also  Inside... 


2  From  the  Editor 
4  From  the  Publisher 

6  Join  the  Discussion 

CSOonline  readers 
debate  police  log-style 
transparency  and  the  fear 
of  getting ‘MaleyED.’ 

9  Briefing 

■  Adobe  Under  Fire 

■  Security  BSides:  Rise 
of  the  Anti-Conference 

■  Pennsylvania  Fires 
CISO  over  RSA  Talk 

■  Travel  Safety:  What 
to  Pack  to  Survive  a 
Natural  Disaster  - 

■  One  Man’s  Life  on 
the  Security  D  List 

■  Howto  Spot  Fake 
Job  References 


18  Hold  Everything! 
Toolbox  Well,  not  every¬ 
thing.  Legal  hold  software 
helps  make  smart  record 
retention  decisions  in  this 
litigious  era.  ByMaryBrandel 

30  Exfiltration:  How 
Does  Your  Data  Leave? 
Industry  View  Most 
attention  is  on  to  keeping 
hackers  out.  But  once  they’re 
inside,  how  do  they  get  data 
out  of  your  organization? 

By  Nicholas  Percoco 

32  Ready  for  Anything 
Debriefing  Three 
useful  business  continuity 
and  disaster  recovery 
tabletop  scenarios. 


CSO  (ISSN  1540-904X)  is  published  monthly  except  for  a  combined  issue  in  July/August  and  December/January  by  CXO  Media  Inc.,  492  Old  Connecticut  Path,  P.O.  Box  9208,  Framingham,  MA  01701-9208.  Periodical  Postage  Rate  at 
Framingham,  M  A  01701,  and  at  additional  mailing  offices.  Canadian  Publications  Mail  agreement  number  1902075.  Canadian  Postmaster:  Please  return  undeliverable  copy  to  P.O.Box  1632,  Windsor.  ON  N9A7C9.  Copyright  2010  by 
CXO  Media  Inc.  All  rights  reserved.  Reproduction  of  material  appearingin  CSO  isforbidden  without  written  permission.  Permission  to  photocopy  for  internal  or  personal  use  orthe  internal  or  personal  use  of  specific  clients  isgranted 
by  CSOforusersthroughtheCopyright  Clearance  Center,  provided  that  afee  of  $3.50  per  copy  ofthe  articleis  paid  directly  to  Copyright  ClearanceCenter,  222  Rosewood  Drive,  Danvers.  MA01970.www.copyright.com.  Please  specify: 
ISSN  1540-904x.Permissionto  photocopy  does  not  extend  to  contributed  articles— followed  bythis  symbol:  t  AddressinquiriestoCSO,  P.O.  Box3482,  Northbrook,  IL60065;  866354-1125.  CSOisfreetoqualified  security  executives. 
To  all  others  the  one-year  basic  rate  is  $70forthe  United  States  and  Canada,  $95  to  foreign  countries  (payable  in  U.S.  funds  only).  Thesingle  copy  price  is  $9  to  the  U.S.  and  Canada  and  $15  International.  Please  allow  four  to  six  weeks 
for  new  subscriptions  to  begin.  Change  of  Address:  Go  to  www.omeda.com/custsrv/cso  and  follow  the  online  instructions.  Postmaster:  Send  change  of  address  to:  CSO,  P.O.  Box  3482,  Northbrook,  IL  60065.  Printed  in  the  USA. 


Cover  photo  by  Peter  Murphy 


April  2010  www.csoonline.com  1 


[  FROM  THE  EDITOR] 


Messaging 

Matters 

The  older  I  get,  the  more  I  realize  the  criti¬ 
cal  importance  of  communication. 

Ideas  live  or  die  based  on  how  well 
they  are  communicated.  You  might  think 
the  quality  of  an  idea  would  matter  most,  but 
how  many  times  in  your  professional  life  have 
you  seen  a  good  proposal  rot  while  a  bad  one 
is  pursued  with  vigor?  Which  idea  to  imple¬ 
ment  was  decided  based  on  the  quality  of  the 
presentation.  Whether  that  seems  like  a  silly 
way  to  make  decisions  is  irrelevant;  that’s  the 
way  it  goes  down.  Communication  matters,  in 
all  forms-verbal,  nonverbal,  written  and  so 
forth. 

So  I’m  ever  more  sensitized  to  how  security 
professionals  communicate.  And  what  matters 
in  communication  (as  every  married  person 
knows)  is  not  so  much  the  speaker’s  intent,  but 
what  the  listener  hears. 

At  a  recent  event  hosted  by  CSO  in  Wash¬ 
ington,  D.C.,  Michael  Thies,  Raytheon’s  execu¬ 
tive  director  of  insider  threat  strategies,  gave 
a  presentation  in  which  he  described  ways 
of  establishing  trustworthiness,  including 
background  checks.  Someone  in  the  audience 
raised  a  hand  and  said: 

“That  sounds  like  it  isn’t  an  IT  security 
problem.” 

What  a  regrettable  phrase. 

Regardless  of  intent,  what  it  commu¬ 
nicates  to  others  is  that  IT  security  is  not 
interested  in  anything  other  than  the  network. 
That’s  a  bad  message  to  send  to  the  business. 


I  liked  Thies's  response  very  much.  He 
smiled  and  replied,  “But  I  would  suggest  to 
you  that  it’s  an  organizational  problem.  And 
that’s  why  IT  security  should  get  in  a  room 
with  human  resources  and  legal  counsel”  and 
whoever  else  is  necessary  and  work  out  the 
approach  that’s  right  for  the  organization. 

The  business  is  what  matters.  Security 
exists  to  protect  and  enhance  the  value  of  the 
business.  When  you  find  an  area  that  requires 
cooperation  with  HR  or  legal  or  audit,  great! 
These  are  opportunities  to  open  doors  within 
the  company,  not  to  slam  them  shut  with  “not 
my  problem”  language. 

As  I  read  the  thoughts  of  the  six  Compass 
Award  honorees  recognized  in  this  issue  (See 
“The  Art  and  Science  of  Leadership,”  Page  22), 


this  message  is  driven  home  again  and  again. 
Take  the  time  to  read  the  lessons  they’ve 
learned  and  how  they’ve  applied  those  lessons. 
The  specifics  of  their  security  programs  are 
useful,  but  more  valuable  is  the  framework 
within  which  they  make  decisions  and  com¬ 
municate  those  decisions. 

It’s  all  about  the  business. 

-Derek Slater,  dslater@cxo.com 


Editor  in  Chief  Derek  Slater 
Senior  Editors 
Bill  Brenner,  Joan  Goodchild 
Copy  Editor 
Colleen  Barry 
Editorial  Administrator 
Pat  Josefek 
Contributors 

Mary  Brandel,  George  Campbell, 
Robert  McMillan,  Michael  Fitzgerald 

DESIGN 

Executive  Director,  Art  and  Design 

Mary  Lester 

Art  Director  Steve  Traynor 

RESEARCH 

Research  Manager  Carolyn  Johnson 

TECHNICAL  ADVISORY  BOARD 

Jason  Cowling 

Jeremiah  Grossman,  WhiteHat  Security 
Frank  Murphy,  TBG  Security 
Stephen  Northcutt,  SANS  Institute 
Richard  Power,  Carnegie  Mellon  CyLab 

EDITORIAL/ADVERTISING/ 
BUSINESS  OFFICES 

492  Old  Connecticut  Path, 

P.O.  Box  9208, 

Framingham,  MA  01701-9208 
Main  phone  number;  508  872-0080 

CXONMEDIA  INC. 

INTERNATIONAL  DATA  GROUP 

Chairman  of  the  Board 
Patrick  J.  McGovern 

IDG  COMMUNICATIONS,  INC. 

CEO  Bob  Carrigan 

Chief  Content  Officer 
John  Gallant 


>rBPA 


WORLDWIDE" 


2  www.csoonline.com 


April  2010 


Photo  by  Webb  Chappell 


ADVERTISEMENT 


MARKET 


PULSE 


A  recent  IDG  Research  Services  survey,  called 
"Pulling  the  Plug  on  Legacy  Log  Management," 
is  turning  heads  in  the  log  management  industry. 


In  a  startling  development,  69  percent  of  organizations 
are  now  willing— if  not  already  planning— to  call  it  quits 
on  their  legacy  log  management  solution. 

"Needs  have  evolved  and  organizations  are  no  longer 
seeing  the  value  in  the  systems  they've  implemented," 
declares  Tim  Zonca,  Product  Marketing  Manager  for 
Tripwire  Log  Center  at  Tripwire,  Inc.,  a  global  provider  of 
IT  security  and  compliance  automation  solutions  based 
in  Portland,  Ore.  CSOs  are  paying  too  much  and  getting 
too  little  despite  attempts  at  jerry-rigging  components 
together  to  address  emerging  needs. 

As  a  result,  CSOs  are  taking  drastic  measures— "ripping 
and  replacing"  legacy  log  management  solutions  in  the 
hopes  of  something  better.  That's  an  unprecedented  turn 
of  events,  according  to  Zonca. 

Buried  in  Landfills 

Log  management  has  long  been  perceived  as  a  down- 
and-dirty  approach  to  managing  volumes  of  informa¬ 
tion-collecting,  aggregating  and  retaining  "virtual 
landfills  of  data,"  says  Dwayne  Melangon,  vice  president 
of  log  management  at  Tripwire. 

But,  he  says,  those  landfills  aren't  effectively  address¬ 
ing  today's  security  and  compliance  challenges.  What 
security  executives  really  want  is  a  broader,  more 
intelligent  view  of  IT  happenings,  including  other  disci¬ 
plines  like  Security  information  and  Event  Management 
(SIEM),  Configuration  Management,  and  File  Integrity 
Monitoring  (FIM). 

Poised  for  Transition 

To  that  point,  a  resounding  majority  of  those  surveyed 
appear  unsatisfied  with  their  legacy  log  management 
implementations.  Indeed,  they  are  considering  and/or 
planning  to  upgrade  or  replace  those  systems. 

The  IDG  study  uncovers  several  unmet  requirements  that 
contribute  to  this  planned  transition: 

Simplification.  Management  is  considered  exceedingly 


complex,  particularly  with  the  proliferation  of  point  solu¬ 
tions.  CSOs  are  struggling  to  bring  discreet  technologies 
together,  desiring  a  simple  dashboard  display  of  alerts  and 
event  data  across  disciplines. 

Security.  Immediate  response  to  threats  is  a  priority.  But 
with  boatloads  of  data  and  no  correlation,  it's  difficult  to 
minimize  the  time  between  a  breach  and  its  detection. 
Now  CSOs  are  looking  for  real-time  access  to  the  informa¬ 
tion  they  need  to  expedite  detection. 

Spending.  High  costs  are  consistently  a  challenge.  Tradi¬ 
tional  pricing  models  are  complicated,  tied  to  hardware- 
related  expenses;  management  efficiencies  come  at  a 
cost,  too.  CSOs  are  ready  for  a  more  cost-effective  model 
and  time-saving  tools. 

An  Integrated  Future 

According  to  the  IDG  study,  the  answer  is  integration,  with 
a  staggering  83  percent  of  respondents  recognizing  the 
value  in  combining  log  management  and  SIEM.  "After  all, 
what  is  one  without  the  other?"  asks  Zonca. 

The  integration  of  log  management,  SIEM,  configuration 
management  and  FIM  on  one  platform  can  be  the  game- 
changer  for  which  the  industry  thirsts.  This  type  of  next- 
generation  thinking  would  move  the  focus  from  what  kind 
of  event  pops  up  to  the  risk  it  presents.  Greater  visibility 
across  disciplines  would  be  gained.  The  intelligence  to 
analyze  and  correlate  data  would  be  automatic.  And  data 
would  come  in  "usable  formats,  like  a  real-time  dashboard 
and  single-click  detail  investigation,"  says  Melangon. 

And  more  important,  there'd  be  no  more  compromise. 
With  integration,  CSOs  can  have  it  all— intelligence,  perfor¬ 
mance  and  savings. 

Suddenly  the  idea  of  "ripping  and  replacing"  doesn't  seem 
so  drastic  after  all. 


Go  to  www.csoonline.com/whitepapers/Tripwire  to 
obtain  a  free  download  of  Pulling  the  Plug  on  Legacy  Log 
Management  and  the  complete  research  results. 


[  FROM  THE  PUBLISHER  ] 


Some  States 
Make  the  Cut 


In  my  travels,  I  get  a  unique  glimpse  into  how 
security  is  approached  by  various  vertical 
markets  and  industries,  as  well  as  by  all  lev¬ 
els  of  government  and  its  assorted  agencies. 
Some  impress  me  with  their  forward  thinking, 
while  others  just  don’t  seem  to  be  getting  the 
message. 

When  it  comes  to  government,  what  is 
that  message?  It’s  that  security  is  no  longer 
optional.  As  our  governments,  they  are  in 
possession  of  the  most  private  and  sensitive 
information  about  us:  financial,  medical,  crimi¬ 
nal  and  so  on.  It’s  no  longer  acceptable  to  take 
shortcuts  in  protecting  the  data  we  entrust  to 
them.  Unfortunately,  they  don’t  all  seem  to  be 
getting  that  message  very  clearly. 

In  some  states,  such  as  Washington, 

Oregon  and  even  California,  with  its  significant 
financial  challenges,  elected  officials  have 
made  information  security  a  priority.  As  in  the 
private  sector,  they  have  come  to  understand 
the  risks  a  cyberattack  poses  to  both  their  own 
reputations  and  the  safety  of  their  custom¬ 
ers  (in  this  case,  the  taxpayers  and  voters). 

In  these  states,  the  role  of  the  information 
security  officer  is  critical  and  we  see  ISOs  at 
all  levels  of  state  and  local  government.  In 
other  states-Pennsylvania,  for  example-we 
see  IT  and  IT  security  budgets  being  cut  over 
the  past  several  years,  and  a  clear  message 
being  sent  that  security  must  give  way  to  the 
larger  bureaucracy  of  state  government.  Just 
a  few  weeks  ago,  Pennsylvania  dismissed  its 
CISO,  allegedly  for  talking  about  a  data  breach 
at  RSA  without  prior  authorization.  Sounds  a 
little  convenient  for  me.  Politics  at  play. 


It’s  really  not  that  different  from  what  we 
see  in  many  private  businesses.  The  CEO  either 
gets  security  or  doesn’t  get  it.  In  the  private 
sector,  the  CEO  is  sometimes  taking  a  calcu¬ 
lated  risk,  and  we  in  business  understand  that. 
Greater  risk  can  lead  to  greater  rewards.  But  I 
really  doubt  that  Governor  Ed  Rendell  is  taking 
an  educated  risk.  I  say  this  because  when  it 
comes  to  government  and  the  management  of 
its  citizens’  data,  the  same  risk  equations  do 
not  apply.  You  either  protect  the  data  or  you 
do  not,  and  accept  the  consequences  of  the 
breach  that  will  inevitably  occur  if  you  choose 
the  latter.  I  guess  that  makes  it  a  political 
equation. 


As  for  me,  I  don’t  want  political  equations 
deciding  the  fate  of  my  most  sensitive,  per¬ 
sonal  information.  I  just  wish  all  our  govern¬ 
ment  officials  understood  risk  like  we  do  in  the 
private  sector. 

What  do  you  think? 

-Bob  Bragdon,  bbragdon@cxo.com 


Advertiser  Index 

CXO  Media  Inc . 8, 11, 13, 15 

HIDCorp . C2 

PhoneFactor . C3 


SecureWorks  . . . 
SpectorSoft  Corp. 
Trend  Micro  Inc.. 
Tripwire  Inc . 


C4 
.17 
.  5 
.  3 


President  and  CEO 
Michael  Friedenberg 
Group  Publisher  Bob  Melk 
Publisher  Bob  Bragdon 
Senior  National  Sales  Manager 
Per  Melker 

East  Coast  Regional  Sales  Manager 

Roz  Burke 

West  Coast  Regional  Sales  Manager 
Michelle  McHugh 
Sales  Associate 
Sarah  Nadeau 

INTEGRATED  MEDIA  AND 
ONLINE  SALES 

SVP,  GM,  Online  Operations 
Gregg  Pinsky 
VP,  Online  Sales 
Brian  Glynn 

East  Coast  Online  Regional 
Sales  Manager 
Richard  Hartman 
West  Coast  Online  Regional 
Sales  Manager 
Erika  Karr 

Central  Online  Regional 
Sales  Manager 
Stacy  Bryne 

Director,  Online  Account  Services 

Danielle  Tetreault 

Online  Account  Services  Specialists 
Jennifer  Malkasian,  Elise  Ryan, 
Tara  Shea 

CUSTOM  SOLUTIONS  GROUP 

Vice  President  Charles  Lee 
National  Sales  Directors 
Tom  Grimshaw,  Karen  Wilde 

PRODUCTION 

VP/Manufacturing  Chris  Cuoco 
Production  Manager  Heidi  Broadley 

EXECUTIVE  PROGRAMS 

SVP,  Executive  Programs 
Ellen  Daly 

Vice  President,  Event  Marketing 

Michael  Garity 

Sr.  Director,  Event  Operations 

Deb  Begreen 

VP,  Content  Development  &  Events 

Derek  Hulitzky 

MARKETING 

Vice  President,  Marketing 
Sue  Yanovitch 

Sr.  Marketing  &  PR  Specialist 
Lynn  Holmlund 

LIST  SERVICES 

Contact  Steve  Tozeski  of 
IDG  List  Services  at  508  820-8106  or 
stozeskiSiidglist.com 

REPRINTS  &  PERMISSIONS 

For  information  about  reprints  and 
copyright  permissions,  please  contact 
The  YGS  Group,  800-290-5460  ext.  129, 
csoStheygsgroup.com 


4  www.csoonline.com  April  2010 


Photo  by  Christopher  Navin 


EXECUTIV 

p-  ADVERTORIAL 

B 

m 

p 

0 

1 

N 

11 

r  ^ 

Raimund  Genes 

CTO,  TREND  MICRO 

Raimund  Genes  has  more 
than  30  years  experience 
in  computer  and  network 
security.  He  is  currently 
Chief  Technology  Officer 
at  Trend  Micro,  which 
specializes  in  technology 
to  protect  businesses 
against  email,  Web  and 
file-based  threats. 


FOR  MORE  INFORMATION: 

please  visit  www.TrendMicro.com 


ffh  TREND, 

T  gy  MICRO 

cso 

Custom  Solutions  Group 


Security  in  the  Cloud 

Security  in  the  cloud  can  be  an  important  business 
enabler— and  biter  threats  before  they  strike. 


why  has  security  in  the  cloud  become  such 
a  hot  button  for  today's  businesses? 

Everyone  knows  the  importance  of  IT  security. 
But  worrying  about  it  is  more  of  a  distraction 
than  a  business  enabler.  Outsourcing  this  ac¬ 
tivity  to  a  security  service  provider  gives  com¬ 
panies  the  benefit  of  expert  knowledge  that 
they  might  not  be  able  to  build  up  internally. 
More  importantly,  security  in  the  cloud  filters 
threats  before  they  can  infect  a  company’s 


removes  this  problem. 

How  is  using  security  in  the  cloud  affecting 
the  way  businesses  share  data  and  applica¬ 
tions  with  remote  workers  and  external 
partners? 

Even  with  a  reliable  cloud  partner,  there’s 
always  a  risk  that  unencrypted  data,  such  as 
text  message  in  an  email,  could  get  into  the 
wrong  hands.  To  ensure  safe,  confidential 


“It's  not  only  cost  effective  but  bees  the  internal  IT  team  to  focus 
on  projects  that  actually  drive  the  business” 


computer  systems.  The  provider  handles 
deployment  and  keeps  the  security  software 
up-to-date.  It’s  not  only  cost  effective  but  frees 
the  internal  IT  team  to  focus  on  projects  that 
actually  drive  the  business. 

What  are  the  advantages  of  processing 
security  in  the  cloud  compared  to  having 
security  tools  residing  on  the  desktop  and 
in  the  data  center? 

First  of  all,  it  saves  server  storage  costs  by  pre¬ 
venting  SPAM  from  ever  reaching  the  prem¬ 
ises.  Though  regulations  vary  among  countries 
and  industries,  once  you  receive  an  email 
you  have  to  archive  it  for  a  specific  period  of 
time,  which  could  consume  a  lot  of  space  on 
network  servers.  Blocking  that  content  in  the 
cloud  would  minimize  the  problem  since  the 
security  provider  is  not  the  intended  recipient 
and  therefore  under  no  legal  obligation 
to  keep  it. 

Second,  it  protects  desktop  and  data  center 
performance.  With  cyber  criminals  bombard¬ 
ing  us  with  new  malware  every  1.5  seconds, 
security  solutions  require  constant  updating. 
Native  security  software  would  eventually 
grow  so  complex  that  it  would  monopolize 
memory  and  CPU  cycles.  Eventually  system 
performance  would  become  slower  and 
slower.  Outsourcing  security  to  the  cloud 


and  transparent  communication  between 
employees,  partners,  subsidiaries,  and  others, 
many  cloud  security  providers  need  to  offer 
identity-based  encryption  along  with  content 
security  services  that  screen  for  malware.  A 
cloud  computing  service  provider  tends  to  op¬ 
erate  globally,  with  redundant  data  centers  that 
ensure  fast  access  from  anywhere  in  the  world. 
Many  companies  are  discovering  that  for  their 
mobile  workforce,  cloud  security  offers  more 
reliable  protection  than  local  signatures  which 
are  difficult  to  update. 

What  innovations  do  you  see  on  the 
horizon  for  security  in  the  cloud? 

I  think  the  next  hot  topic  will  be  securing  data 
in  the  cloud  itself.  Cloud  security  providers 
will  be  expected  to  protect  data  in  the  cloud 
using  the  same  high  standards  currently 
applied  to  data  on  the  desktop,  the  server 
and  the  messaging  system.  Then  companies 
won’t  need  to  worry  anymore  about  some¬ 
body  hacking  the  cloud  and  gaining  access 
to  the  data  residing  there.  They  won’t  need  to 
worry  that  a  cloud  vendor  might  accidentally 
forward  confidential  data  to  an  unauthorized 
third  party,  keep  the  data  after  the  contract 
has  ended,  or  resell  the  data  to  a  competitor. 
Security  for  the  cloud  will  ensure  that  the  data 
is  only  accessible  by  the  company  who  has  the 
right  to  access  it. 


What’s  on  your  mind?  Security  leaders  discuss 

and  debate  at  www.csoonlme.com 


BLOG  POST 

We  Need 
Police  Log-Style 
Transparency 

Jeff  Bardin  suggests  immediate, 
complete  disclosure  of  all  security 
incidents  as  the  solution  to  today’s 
culture  of  FUD  and  blame 

ennsylvania’s  chief  informa¬ 
tion  security  officer,  Robert 
Maley,  has  been  fired,  appar¬ 
ently  for  talking  publicly  at  the 
RSA  security  conference  last 
month  about  a  recent  incident  involving  the 
state’s  online  driver’s  license  exam  schedul¬ 
ing  system.  A  source  close  to  the  matter  said 
Maley  was  terminated  for  not  getting  the 
required  approvals  from  state  authorities 
to  talk  publicly  about  the  incident,”  writes 
Jaikumar  Vijayan  (See  “Pennsylvania  Fires 
CISO  over  RSA  Talk,”  Page  12). 

The  termination  of  the  CISO  for  the 
state  of  Pennsylvania  begs  many  questions. 
Of  course  the  CISO,  like  most  CISOs,  is 
under  a  constant  gag  order  from  internal 
authorities.  CIOs,  COOs,  legal  counsel, 
and  so  on,  all  place  pressure  on  CISOs 
not  to  divulge  anything  about  any  internal 
issues  with  systems,  applications,  breaches 
or  incidents.  It  is  part  of  the  trust  given  to 
the  CISO.  In  my  experience,  many  times 
you  cannot  even  divulge  basic  incidents 
internally,  since  any  demonstration  of  sys¬ 
tem  issues  with  a  security  bent  is  taboo— 
it’s  strictly  need-to-know.  What  is  strange 
is  that  a  system  outage  that  happens  all 
too  frequently  with  information  systems 


is  usually  well-known  internally,  but  any¬ 
thing  deemed  a  security  issue  is  shuttered 
up  like  a  Detroit  auto  plant  and  ignored  like 
the  red-headed  stepchild. 

It  looks  as  though  this  issue  is  an  infor¬ 
mation  systems  issue.  Vijayan  writes  that 
“the  source  said  someone  at  the  school 
exploited  a  configuration  ‘anomaly’  in  the 
Department  of  Transportation’s  online 
driver’s  test  scheduling  system.”  A  configu¬ 
ration  anomaly  is  usually  an  issue  with  IT 
that  the  CISO  has  to  take  the  hit  for,  even 
though  the  problem  is  usually  due  to  inap¬ 
propriate  internal  access  or  poorly  config¬ 
ured  code  or  systems.  It  then  becomes  a 
security  issue  and  the  muzzle  is  applied. 

We  continually  strive  to  get  metrics  from 
corporations  and  government  entities  on 
incidents  so  we  can  have  a  baseline  to  mea¬ 


sure  against,  yet  nearly  all  organizations  I 
have  been  in,  and  those  that  my  peers  have 
been  in  or  are  in,  hide  what  they  term  “secu¬ 
rity  incidents”  like  you  would  a  cold  sore  on 
a  first  date.  They  use  a  catch-all  classifica¬ 
tion,  so  it  is  deemed  highly  sensitive  to  the 
corporation.  This  usually  translates  as: 

“We  don’t  want  anyone  to  know  about 
this  highly  embarrassing  issue  since  it 
shouldn’t  have  happened  in  the  first  place, 
but  we  willfully  ignored  the  CISC’s  previ¬ 
ous  warnings  and  decided  to  accept  the 
risk.  Now  that  we  have  been  caught  with 
our  pants  down,  we  will  hide  it  by  placing 
the  blame  on  anyone  who  leaks  this  info  or 
goes  against  our  wishes.” 

This  is  the  shoot-the-messenger 
approach  to  corporate  management  that  is 
truly  FUD.  As  a  matter  of  fact,  I  see  corpo¬ 
rations  using  FUD  every  day,  but  if  a  CISO 
is  to  use  it,  he  is  immediately  discredited 
as  a  cry-wolf  type  of  person  who  won’t  get 
the  funding  anyway.  Basically,  you  are  the 
house  pet  and  told  to  go  lie  down  by  your 
dish. 

Well,  I  don’t  know  all  the  details  about 
the  incident,  but  I  would  bet  many  of  my 
comments  are  spot-on.  What  I  suggest  is 
a  federally  mandated  reporting  system  of 
all  incidents,  like  the  police  logs  that  get 
published  in  newspapers.  All  contacts  to 
security,  regardless  of  criticality  and  scope, 
would  be  published  on  each  organization’s 
website  much  like  this: 

MARCH  1,2010 
1:11a.m. 

An  HR  rep  came  to  the  help  desk  asking  to 
sign  a  complaint  saying  he  was  harassed  by 
a  systems  analyst  near  the  cafeteria  water 
cooler  over  complaints  that  an  HR  applica¬ 
tion  was  poorly  built. 


6  www.csoonline.com  April  2010 


HOWTO 

REACH 

US 

You  can  contact  us 
directly  or  post  your 
thoughts  on  specific 
articles  and  blogs  at 
www.CSOonline.com. 

Derek  Slater,  Editor  in  Chief 
dslater@cxo.com 
508  935-4213 
Twitter:  @derekcslater 

Bill  Brenner,  Senior  Editor 
bbrenner@cxo.com 
508  988-7587 
Twitter:  @billbrenner70 

Joan  Goodchild,  Senior  Editor 
jgoodchild@cxo.com 
508  988-7994 
Twitter:  @msjoanieg 

Subscriber  Services 

Phone:  866  354-1125 
Fax:  847  564-9453 
E-mail:  cso@omeda.com 

Reprints  &  Permissions 

For  information  about  reprints 
and  copyright  permissions, 
please  contact  The  YGS 
Group,  800  290-5460,  ext. 

129,  cso@theygsgroup.com. 


1:13  a.m. 

A  marketing  employee  turned  in  an  unused 
key  fob  found  near  the  data  center  door. 


2:23  p.m. 

Archie  A .  Moore,  of  the  corporate  business 
development  office,  was  charged  with  a  Class 
U  misdemeanor  for  allegedly  operating  a  PC 
when  his  credentials  were  suspended  follow¬ 
ing  an  application  error  stop  that  caused  an 
outage.  Information  Security  ran  Moore’s  ID 
badge  through  the  computer  and  it  returned 
information  that  he  had  been  suspended  for 
a  security  training  lapse.  Moore  told  InfoSec 
he  did  not  now  that  had  happened,  he  just 


plain  forgot.  Moore  was  ordered  to  appear 
in  HR  court  at  a  later  date  and  given  a  verbal 
warning. 

9  p.m. 

A  remotely  located  employee  called  report¬ 
ing  excessive  noise  coming  from  the  network 
closet.  An  InfoSec  analyst  responded  and 
found  a  network  switch  that  had  apparently 
fallen  through  a  hole  in  the  closet  floor.  The 
switch  appeared  to  be  the  one  reported 
missing  the  day  prior.  No  one  was  harmed  in 
the  falling  switch  episode. 

10  p.m. 

InfoSec  responded  to  HQ  and  a  reported 
argument  between  an  IT  architect  and  a 
business  analyst,  which  had  led  to  an  inter¬ 
nal  denial  of  service  allegedly  perpetrated 
by  the  business  analyst.  InfoSec  spoke  to 
the  woman  involved,  who  admitted  releas¬ 
ing  a  mail  bomb  after  she  was  urged  to  do 
her  worst.  The  man  gave  InfoSec  the  same 
story;  both  parties  were  issued  a  warning 
by  HR  and  turned  over  to  their  managers  for 
remedial  training. 

11:14  p.m. 

An  external  probe  turned  into  an  attack  that 
penetrated  the  DMZ,  leading  to  the  access¬ 
ing,  by  an  unknown  assailant,  of  157  records 
of  personally  identifiable 
information  from  the 
corporate  point-of-sale 
system.  InfoSec  and  exter¬ 
nal  authorities  are  on  site, 
following  standard  chain- 
of-custody  and  evidentiary 
rules  as  legal  counsel  is 
preparing  communications 
to  all  affected  parties  based 
on  each  individual  state 
data-breach  law  that  applies. 

With  an  InfoSec  log  of  this 
type  published  externally 
for  all  to  see,  I  would  bet 
the  company  would  start 
to  correct  its  behavior  and 
actually  try  to  remedy 
issues.  Hell,  it  may  even 
start  to  include  security 
from  the  onset  of  any  proj¬ 
ect,  application,  system, 
outsourcing  effort,  mergers 
and  acquisitions  discussion, 


cloud  migration,  and  so  on.  It  would  force 
organizations  to  come  clean  and  actually  do 
something  about  their  issues  that  seem  to 
get  dumped  into  the  laps  of  CISOs.  It  may 
even  get  those  who  actually  own  the  sys¬ 
tems  and  data  to  accept  responsibility  and 
accountability  for  the  actions  (or  mostly 
inactions)  they  decide  to  take. 

Good  luck  to  Mr.  Maley.  Time  to  write 
a  book. 

—Jeff Bardin 

RESPONSE 

The  fear 
of  getting 
‘MaleyED’ 

This  is  such  a  disappointing 
story.  I  would  fire  out  my  con¬ 
cerns  and  blast  my  horn  of  dis¬ 
content  at  the  injustice  of  it  all. 
I  would  yell  out  at  the  horror 
of  seeing  a  comrade  fall  for  such  a  trivial  act. 
But,  alas,  I  fear  the  same  reprisal.  So  I  stew 
silently,  anonymously,  for  fear  of  getting 
“MaleyED”  myself. 

—Anonymous 


MORE  ON  THE  WEB 

Tools,  Templates 
and  Policies 

Creating  a  social 
media  policy  or 

re-writing  your  cell 
phone  usage  guidelines? 
Looking  for  a  BC/DR 
worksheet?  Check  out 
our  (growing!)  library  of 
security  tools  and  sample 
policies  at: 

www.csoonline.com/article/486324 


April  2010  www.csoonline.com  7 


SO  Forum  on  Linked  [Q 


Share  best  practices  and  insight 
and  discuss  your  challenges  with 
your  security  executive  peers. 

The  CSO  Forum  is  where  members  of  the  security 
community  can  connect  and  collaborate  to  move  their 
security  and  technology  initiatives  and  careers  forward. 

If  you  are  a  senior  security  or  IT  professional,  we’d  love 
to  have  you  join— apply  for  membership  today. 

Visit  Mnkedin.com  click  Groups  and  search  for  “CSO  Forum’’ 

Facilitated  by  CSOOnllne.com  and  CSO  Magazine 

CSO 

BUSINESS  RISK  LEADERSHIP 


S  CSO  Forum 

*  *  pinirti 


•m*  ■•*** 


?afe-4MsNMWi  «!&*«•**  Mll'Wi"  '«*»■''  M» 

.. —  .  ...  mwwmwkhsw  -  **  **** 

Wi,  -<Si  a*P’*"*^  ■  i jipm 

J  j^l'  '.'I  . 

M*  4*»* 


“Very few  see  themselves  as  security  A-listers.  Many 


Edited  by  Bill  Brenner 


THREAT  WATCH 


ADOBE 
UNDER  FIRE 


Why  the  bad  guys  love  to  target 
Adobe  software,  and  what  the 
company  is  doing  about  it 


and  has  taken  steps  to  improve  the  patch-installation  process. 

But  that’s  of  little  comfort  to  security  pros  like  Christophe  Veltsos, 
president  of  Prudent  Security  and  writer  of  the  Dr.  infoSec  blog. 

“I  used  to  require  that  my  students  (at  Minnesota  State  University, 
Mankato)  turn  in  their  assignments  in  PDF  format  instead  of  Microsoft 
Word,”  he  said.  In  light  of  recent  security  problems,  however,  “I've 
switched  back  to  Microsoft  Word,  as  it  appears  to  be  a  safer  alterna¬ 
tive  to  PDF.” 

In  an  interview  with  CSO,  Brad  Arkin,  director  of  prod¬ 
uct  security  and  privacy  at  Adobe  Systems,  compared 
his  company’s  security  woes  to  those  Microsoft  went 
through  in  the  days  of  Windows  2000  and  XP  and  Internet 
Explorer  6. 

“We  understand  that  the  reason  Adobe  is  such  a  big 
target  for  the  bad  guys  is  that  it’s  so  ubiquitous,”  he  said. 
“Something  like  Reader  or  Flash  Player  is  installed  on  just  about  every 
single  machine  out  there  that’s  connected  to  the  Internet.  That  means 
the  bad  guys  don’t  have  to  work  so  hard  because  if  they  can  find  a  prob¬ 
lem  to  exploit,  it  can  be  directed  at  every  machine.  As  a  result,  every 
bad  guy  on  Earth  is  looking  for  something  to  exploit  in  our  software.” 

-Bill  Brenner 


The  way  IT  security  pros  see  it,  Adobe  is 
the  monster  they  can’t  live  with  anymore. 

But  they  really  can’t  live  without  it,  either. 

Users  rely  on  Adobe  software  to 
create,  edit  and  view  a  variety  of  rich-media 
content.  But  for  many  security  practitioners, 
frequent  attacks  against  a  range  of  security 
holes  has  become  too  much  to  take.  In  early 
February-mere  weeks  after  the  company 
patched  one  critical  flaw-Adobe  was  forced 
to  rush  out  another  patch  for  its  Reader  and 
Acrobat  software.  The  company  also  had  to  rush  out  a  critical  fix  for 
Flash  player  in  February.  At  the  start  of  the  year,  some  security  vendors 
predicted  that  Adobe  would  be  the  top  target  of  attackers  in  2010. 

A  recent  security  bulletin  from  vulnerability  clearinghouse  Secunia 
painted  a  grim  picture  of  the  flaws  in  Acrobat  and  Reader.  The  bulletin, 
flagged  as  “highly  critical”  information,  described  two  vulnerabilities 
attackers  could  exploit  to  bypass  certain  security  restrictions  and 
hijack  the  user’s  machine: 

■  An  error  in  Flash  player  that  could  be  exploited  to 
perform  unauthorized  cross-domain  requests.  “The 
vulnerability  is  caused  due  to  an  error  [that  surfaces] 
while  enforcing  cross-domain  restrictions,”  the  bul¬ 
letin  said.  “This  can  be  exploited  to  bypass  domain 
sandbox  limitations  and  perform  unauthorized  cross¬ 
domain  requests.” 

■  An  unspecified  error  attackers  could  use  to  cause  a  denial  of  service 
or  launch  malicious  code. 

To  its  credit,  Adobe  fixed  the  flaws  in  short  order  with  Acrobat  ver¬ 
sion  8.2.1  and  Reader  9.3.1. 

The  company’s  security  team  has  also  tried  to  use  the  blogosphere 
to  stay  in  touch  with  customers  regarding  new  flaws,  attacks  and  fixes 


Illustration  by  Esteban 


April  2010  www.csoonline.com  9 


>>  BRIEFING 


BY  THE  NUMBERS 


29 


Number  of  websites 
hacked  by  Iran’s 
Islamic  Revolutionary 
Guard  Corps 
because  the  group 
suspected  that  the 
sites  were  part  of  U.S. 
espionage  networks 


200 


Number  of  data 
breaches  Trustwave’s 
SpiderLabsteam 
investigated  in  2009 

24 

Number  of  countries 
in  which  those  data 
breaches  occurred 

50,000 

Number  of  bytes  the 
Zeus  Trojan  horse 
software  takes  up 
on  a  compromised 
Windows  computer 

$3,000- 

$4,000 

Average  cost  of  a 
basic  Zeus  builder  kit 

15,000 

Number  of  Swiss 
bank  accounts 
compromised  in 
HSBC  breach 


INDUSTRY 


Security  BSides:  Rise 
of  the  Anti-Conference 


When  security  professionals  flocked  to 
San  Francisco  for  last  month’s  RSA 
2010  security  conference,  they  also  had 
access  to  a  set  of  presentations  and 
events  not  found  on  the  official  RSA  agenda. 

Called  Security  BSides,  the  alternative  event 
was  billed  as  an  anti-conference  of  sorts-a  place 
where  practitioners  could  get  a  stripped-down 
view  of  the  industry.  It’s  an  idea  spreading  like 
wildfire  across  the  country. 

The  BSides  website  says  the  goal  is  to  expand 
the  spectrum  of  conversation  “beyond  the  tradi¬ 
tional  confines  of  space  and  time,"  giving  people 
the  chance  to  “both  present  and  participate  in 
an  intimate  atmosphere  that  encourages  col¬ 
laboration.  It  is  an  intense  event  with  discus¬ 
sions,  demos  and  interaction  from  participants.” 


Before  the  San  Francisco  event,  the  last 
BSides  was  held  in  Las  Vegas,  coinciding  with 
last  summer’s  Black  Hat  USA  and  Defcon  confer¬ 
ences.  The  events  are  free,  though  representa¬ 
tives  from  the  Electronic  Frontier  Foundation 
accept  donations  at  their  display  table. 

There  was  a  also  a  BSides  gathering  in  Austin, 
Texas  on  March  13,  and  another  is  scheduled 
for  April  24-25  in  Boston,  the  weekend  after  the 
popular  Source  conference  takes  place  there. 

Zach  Lanier,  a  Boston-based  security 
practitioner  who  has  played  a  leading  role  in  the 
Security  Twits  community  on  Twitter,  is  helping 
pull  together  the  Boston  event. 

“I  got  involved  chiefly  because  I  really  dig  the 
‘uncon’  concept,  and  because  I  think  it  serves 
an  ever-growing  need,”  Lanier  said.  “There’s 
an  overwhelming  amount  of  computer  security 


and  hacking  knowledge  to  be  shared  and  talked 
about.  Major  conferences  are,  understandably, 
quite  selective  in  accepting  talks,  and  some  of 
the  proposals  may  not  even  fit  the  theme  of  that 
particular  con.” 

Security  BSides  provides  an  opportunity  for 
folks  to  give  those  very  talks  and  maybe  even 
inspire  some  attendees  to  hop  up  and  give  a  talk 
of  their  own,  he  added. 

Jack  Daniel,  a  National  Information  Security 
Group  director  and  a  community  development 
manager  at  Astaro,  said  the  idea  began  when 
Black  Hat  2009  sent  out  their  “thanks,  but  no 
thanks"  messages  to  those  whose  presentations 
were  not  accepted,  and  several  people  lamented 
their  rejections  on  Twitter.  Soon  after,  some¬ 
one  proposed  to  provide  a  separate  venue  for 
alternative  talks. 

“The  first  event  came  together 
quickly  with  a  lot  of  effort  from 
several  people;  it  was  a  great 
combination  of  intelligent  pre¬ 
sentations  and  discussions,  some 
of  which  just  wouldn’t  fit  into 
larger  conferences,”  he  said.  “The 
relaxed  atmosphere  is  more  intel¬ 
lectual  frat  house  than  security 
conference.” 

Erin  Jacobs,  chief  security 
officer  at  United  Collection  Bureau 
in  Chicago,  said  she  initially  saw 
the  events  as  a  soapbox  for  people 
whose  talks  were  denied  by  Black  Hat  or  Defcon. 
It  wasn’t  until  the  event  started  to  take  shape 
and  talks  were  being  added  that  it  became 
evident  that  the  content  was  unique  and  might 
not  have  fit  anywhere  else,  she  said. 

“Presentations  that  might  not  have  com¬ 
manded  a  room  of  300  were  captivating  to  the 
50-80  people  in  the  room  at  BSides  [Las  Vegas] 
to  listen,  learn,  and  participate  in  a  way  that  we 
haven’t  seen  before,”  she  said. 

“BSides  Las  Vegas  was  held  off-site,  in  a 
house,  and  it  was  quite  a  unique  feel  just  getting 
to  the  venue,”  she  said.  “You  truly  felt  like  you 
were  embarking  on  a  journey  to  something  very 
different.  The  feeling  in  the  house  was  that  of  a 
college  mixer  meets  networking  happy  hour;  the 
people  made  the  event!” 

-Bill  Brenner 


to  www.csoonline.com  April  2010 


Photo  by  iStockphoto.com 


THE  EMPLOYEE  SECURITY  AWARENESS  NEWSLETTER  FROM  THE  EDITORS  AT  CSO 


Security  Smart  is  a  quarterly  security  awareness  newsletter  ready 
for  distribution  to  your  employees — saving  you  precious  time  on 
employee  education!  The  compelling  content  combines  personal 
and  organization  safety  tips  so  is  applicable  to  many  facets 
of  employees'  lives.  And  the  easy  to  read  design  has  multiple 
entry  points  so  you  are  assured  that  your  intended  audience  of 
employees — your  organization's  most  valuable  assets — will  read 
and  retain  the  information. 


*ITy 


'  Tty  , 


Hq\ 


to//vG 


y°  Ut, 


SfQ ji 


*rts 


;s*y*hen 


"IITy 


4/|/o 


'  ■“  anti«Pater^  X*yina  -  *  Of 

SecurityoJZc£oOFTl.  ^dv°idtr  re/a*ed  k 

bie-  utaien" 

§S§ms: 

i  '°"'Pr  w'^your  n..  ^ 


Tti 


pmvA 


Mr 


1/V$ 


'sLet 


Subscribe  today! 


To  view  a  sample  issue  of  the  newsletter,  learn  about  the 
delivery  options  and  to  subscribe  visit: 

www.SecuritySmartNewsletter.com 


,K4H o 


A?H0i 


>/Wf 


/  ,3  roott‘ 
/  ,a*. 


mom 


*0  u 


KNq\ 


0/0 

AsS**' 

°^u,. 


travpiJS.  that  h.  001 


1  M 
4,'r 

^drnru. 


l^o 


Sc»~ici 


-‘y-ieu*h*n’4l 


’  ■*■>**, 


*■»■*  . 


For  more  information  please  visit 

www.SecuritySmartNewsletter.com 

Security  Smart  is  published  by  CSO,  a  business  unit  of  CXO  Media.  ©  2007  CX0  Media  Inc. 


>>  BRIEFING 


DISCLOSURE 

Pennsylvania  Fires 
CI50  over  RSA  Talk 

Pennsylvania’s  chief  information  security  officer,  Robert 
Maley,  has  been  fired,  apparently  for  talking  publicly  at  the 
RSA  security  conference  last  month  about  a  recent  incident 
involving  the  state’s  online  driver’s  license  exam  scheduling 
system.  A  source  close  to  the  matter  said  Maley  was  terminated  for 
not  getting  the  required  approvals  from  state  authorities  to  talk 
publicly  about  the  incident. 

State  rules  explicitly  require  all  employees  to  get  approval 
before  they  publicly  disclose  official  matters,  the  source  said.  A 
spokesman  for  the  state’s  governor,  Edward  Rendell,  today  con¬ 
firmed  that  Maley  is  no  longer  working  for  Pennsylvania,  but  he 
refused  to  say  if  Maley  had  been  terminated,  citing  privacy  rules. 

Maley,  who  was  Pennsylvania’s  CISO  for  more  than  four  years, 
was  part  of  an  RSA  conference  panel  discussing  state  cyberse¬ 
curity  issues.  There  he  talked  about  a  recent  incident  involving 
a  Philadelphia-area  driving  school  that  tried  to  register  for  early 
driving  tests  for  its  students. 

The  source  said  someone  at  the  school  exploited  a  configuration 
“anomaly”  in  the  Department  of  Transportation’s  online  driver’s 
license  test  scheduling  system.  The  vulnerability  allowed  the  school 
to  cut  the  line  and  sign  up  for  “a  whole  bunch”  of  license  exams  for 

its  students,  the  source  said.  The  inci¬ 
dent  was  reported  to  the  state  police 
and  is  currently  under  investigation, 
the  source  said. 

Danielle  Klinger,  a  spokeswoman 
for  Pennsylvania’s  Department  of 
Transportation,  confirmed  that  a 
problem  had  been  uncovered  in 
the  test  scheduling  system  and  that 
the  matter  has  been  turned  over  to 
state  police.  However,  she  contested 
several  media  reports  that  have 
described  the  incident  as  a  hacking 
attack,  and  said  that  as  far  as  the 
department  was  aware,  there  had 
been  no  hack  or  breach  of  the  system. 
Maley’s  dismissal  comes  amid  budget  and  staff  cuts  in  Penn¬ 
sylvania’s  IT  security  organization,  the  source  said.  Over  the  past 
two  years,  the  administration  has  cut  information  security  budgets 
by  close  to  38  percent  and  staff  by  40  percent.  It  also  instituted  a 
lockdown  on  talking  about  cybersecurity,  the  source  claimed. 

CSO  interviewed  Maley  last  year  for  an  article  about  how 
penetration  testing  was  central  to  the  state’s  cybersecurity  efforts. 
He  said  at  the  time  that  his  environment  included  roughly  47  state 
agencies,  boards  and  commissions,  which  comprised  about  77,000 
employees,  80,000  endpoints  and  5,000  servers  that  his  office  was 
ultimately  responsible  for.  “We  have  agencies  with  remote  offices 
all  across  the  state,  at  least  1,000  locations,”  he  said  at  the  time. 

- Jaikumar  Vijayan 


PREPAREDNESS 

Travel  Safety: 

what  to  Pack  to  Survive 

a  Natural  Disaster 

Secure-travel  plans  often  consider  kidnapping  or  terrorism.  But 
what  about  natural  events  like  the  recent  earthquakes  in  Haiti 
and  Chile? 

Chris  Falkenberg,  founder  and  president  of  Insite  Security, 
spoke  with  CSO  about  the  variables  organizations  should  consider, 
and  the  items  they  should  pack  when  traveling,  particularly  in  the 
developing  world  or  politically  unstable  regions. 

CSO:  So  what  kind  of  advice  can  security  folks  give 
travelers?  What  should  they  advise  them  to  pack  so  that 
they’re  prepared? 

Falkenberg:  First  is  a  satellite  phone.  I  think  they  are  very 
valuable,  even  in  the  United  States.  In  the  event  of  a  big  U.S.  crisis, 
like  a  blackout,  or  even  some  kind  of  crisis  where  cell  towers  are 
still  up,  they  will  be  deluged  with  calls.  And  in  some  municipalities, 
cell  phone  providers  prioritize  calls  from  police  and  public  service, 
so  you  might  not  be  able  to  get  a  line.  We  are  told  to  use  SMS  mes¬ 
saging  to  get  information  through,  but  if  a  cell  tower  is  down,  you’re 
stuck.  A  satellite  phone  is  totally  independent.  And  if  you  don’t 
want  to  carry  a  satellite  phone,  there  are  satellite-based  beacons 
that  people  can  carry  that  are  designed  for  back-up  use.  They  can 
work  for  people  in  a  city  as  long  as  they  are  outside. 

The  second  thing  is  the  issue  of  pure  water.  One  of  the  most 
valuable  things  we  could  send  to  Concepcion-the  Chilean  city 
closest  to  the  epicenter  of  the  February  earthquake-right  now  is 
one  of  a  variety  of  water-treatment  mechanisms.  All  of  them  are 
very  small  and  intended  for  backpackers  and  hikers  and  therefore 
easy  to  put  in  suitcase.  There  are  clean-water  straws,  there  is  a  UV- 
electric  device,  there  are  iodine  pills,  there  are  a  number  of  ways  to 
take  unsafe  water  and  make  it  safe. 

The  next  thing  is  flashlights.  I  can’t  imagine  a  more  valuable 
security  or  emergency  tool  than  a  flashlight. 

N-95  masks  would  be  very  useful  in  Haiti  and  Chile  because 
they  enable  you  to  breathe  in  dusty  environments.  Also,  a  good 
medical  kit.  -Joan  Goodchild 


12  www.csoonline.com  April  2010 


Illustration  by  Esteban 


CSO’s  e-Mail  Newsletters 


Keep  Up  To  Speed 
On  the  Security  Issues  Important  to 

Delivered  right  to  your  desktop 


CSO  Update 

A  look  at  the  latest  security  news  and  analysis  on 
CSOonline.com,  delivered  twice  a  week. 

CSO  News  Watch 

A  recap  of  the  week’s  top  news  stories. 

CSO  Career 

A  twice-monthly  newsletter  of  career  and  leadership- 
oriented  news,  articles  and  events  plus  job  postings. 

CSO  Tech  Watch 

Twice-monthly  update  on  technologies  for  protecting  networks, 
facilities,  employees,  intellectual  property  and  more. 

CSO  Security  Leader 

Monthly  leadership-related  articles  and  reports  from  CSO,  as 
well  as  tips  for  educating  employees  and  corporate  leadership. 

CSO  Continuity  &  Recovery 

A  twice-monthly  review  of  published  material  concerning 
business  continuity  and  disaster  recovery. 

Security  Research  &  Metrics 

A  monthly  roundup  of  useful  security  research,  benchmarks 
and  statistics. 


Sign  up  now  for  CSO’s 
complimentary  e-mail  newsletters 
www.CSOonline.com/newsletters 


CSO 

BUSINESS  RISK  LEADERSHIP 


>>  BRIEFING 


CAREER 

One  Man's  Life  on 
the  Security  D  List 

Author  Andrew  Hay  explains  the  four  keys  to  moving  from 
the  bottom  of  the  IT  security  shop  to  a  place  of  respect,  and 
why  getting  to  the  A  list  isn’t  all  it’s  cracked  up  to  be 


Security 

Wisdom 

Watch 

Thumbs  Down:  The  state  of 
Pennsylvania.  Fire  your  CISO  for 
talking  about  an  incident  that 
should  have  already  been  public 
knowledge?  Way  to  be  transparent, 
Pennsylvania. 

Thumbs  Up:  Fired  Pennsylvania 
CISO  Bob  Maley.  Since  his 
state  really  had  no  IT  security 
infrastructure  until  he  showed 
up  three  years  ago  and  rolled  up 
his  sleeves,  Maley  should  have  been 
able  to  talk  about  anything  he  wanted 
at  the  RSA  conference  last  month. 

His  bosses  weren’t  thinking  straight 
when  they  let  him  go,  and  their  action 
sends  a  chill  down  the  spines  of  those 
in  the  industry. 

Thumbs  Up:  Security  BSides. 

This  so-called  anti-conference  is 
catching  on  across  the  country, 
with  recent  events  in  San 
Francisco  and  Dallas,  and  another 
in  Boston  this  month.  Can’t  get  a  good 
presentation  accepted  by  the  big 
boys?  BSides  is  your  refuge. 

Thumbs  Down:  Mobile  apps 
(pretty  much  all  of  ’em).  The 
bad  guys  knew  the  day  would 
come  when  people  would  start 
using  smartphones-and  the  apps 
that  go  with  them-like  laptops  and 
desktops.  That  day  is  here,  and  so  are 
the  attacks. 

Thumbs  Both  Ways:  Zeus  Botnet. 
^  Good  news  for  botnet  control- 
^  W  lers:  New  capabilities  are 
1  l  strengthening  the  Zeus 
j  botnet  and  the  sky  is  the 
limit  for  data  thieves  as  a 
result.  Of  course,  what’s  good 
for  them  is  bad  for  the  rest  of  us. 

-B.B. 


It  used  to  be  that  security  practitioners 
were  seen  as  propeller-hat  wearing 
introverts  hunched  over  computers  in 
dark,  cold  basements  for  weeks  on  end, 
shunning  daylight  and  anyone  who  tried  to 
start  a  conversation  with  them.  Times  have 
changed.  But  the  path  to  respect  isn’t  always 
what  you’d  expect. 

Thanks  to  the  blogosphere,  social 
networking  sites  and  podcasting  made  easy, 
many  security  pros  are  taking  on  a  much 
more  public  persona,  becoming  industry 
rock  stars.  There  was  abundant  evidence  of 
this  on  view  at  last  month’s  RSA  conference 
and  the  nearby  Security  BSides  event. 

True,  many  security  pros  still  prefer  the 
quiet,  isolated  life.  It’s  also  true  that  the 
introvert  tag  never  really  fit  many  people. 

But  several  conference  attendees  acknowl¬ 
edged  that  theirs  has  become  a  much  more 
public  profession.  It’s  a  necessity,  they  say. 

To  truly  improve  security,  people  need  to 
be  out  there  communicating  the  threats 
computer  users  face  and  explaining  how  to 
prepare  the  proper  defenses. 

Andrew  Hay,  information  security  analyst 
at  the  University  of  Lethbridge,  opened 
Security  BSides  with  a  talk  about  his  life  on 
the  security  D  list  and  the  four  tools  one  can 
use  to  move  higher  up  the  ladder.  Hay,  a 
specialist  in  forensics,  incident-handling  and 


network-security  management,  explained 
there  are  few  celebrities  in  the  security 
industry,  and  many  who  are  don’t  know  it. 
Then  there  are  those  who  are  stars  and  will 
let  you  know  it  at  every  opportunity. 

“When  we  start  our  career,  we  are  on  the 
D  list  and  it’s  a  tough  climb  out,”  Hay  said. 
“Many  are  happy  to  stay  there,  others  want  to 
do  great  things.  Very  few  see  themselves  as 
A-list.  Many  think  they’re  above  the  D  list." 

The  A  list  is  made  up  of  those  who  are 
asked  to  present  at  conferences,  get  comp 
time  from  their  employer  to  do  it,  and  have 
invented  something  everyone  has  used,  he 
said. 

Those  on  the  B  and  C  lists  write  blogs 
and  have  achieved  some  notoriety,  but 
are  harder  to  pick  out  of  a  crowd,  Hay  said, 
describing  the  four  strategies  he  used  to 
advance  in  the  security  profession: 

1.  Blogging  and  writing 

2.  Going  to  conferences,  gatherings  and 
groups  and  networking 

3.  Social  networking-getting  one’s  voice 
out  there  by  such  vehicles  as  Twitter,  Face- 
book,  Linkedln  and  so  on.  (Hay  described 
Twitter  as  one  of  the  best  things  to  happen  to 
security.  “I  wouldn’t  know  half  the  people  in 
this  room  otherwise,"  he  said.) 

4.  Participating  in  online  communities 

-B.B. 


14  www.csoonline.com  April  2010 


Photo  by  Getty  Images 


GOLD  SPONSORS 

BlueQCoat 


CODE  GREEN 

NETWORKS 


McAfee* 

BBB 

DATA  PROTECTION 

to  the  core. 


SILVER  SPONSOR 

SOPHOS 

simply  secure 


UNDERWRITER 


GOLD  SPONSORS 


TREND. 

"  MICRO 


The  Security  Division  of  EMC 


yeHTOff  business 


SILVER  SPONSORS 


ACTIVl  ■)ENTITY~ 


IV0 


Obeyondtrust 

privilege,  made  simple 


EMERGING 

SOLUTIONS 

SPONSOR 

hnvision 


MEDIA  SPONSOR 


Security  leadership  Solutions 

Executive  Counci  I 


CSO  would  like  to  Thank  the  Sponsors  of  the 
CSO  Executive  Seminar  on  Data  Protection  and  Encryption 

and  CSO  Perspectives!  Produced  Hy:  CSO 


PLATINUM  SPONSOR 


0  net  HD 

An  Attachmate*  Business 


>>  BRIEFING 


HIRING 

How  to  Spot  Fake  Job  References 


There  have  always  been  unethical  or 
desperate  job  hunters  out  there  who 
have  used  a  friend  or  relative  as  a  refer¬ 
ence  in  order  to  increase  their  chances 
of  landing  a  position.  Providing  a  fake  refer¬ 
ence  who  will  lie  and  speak  glowingly  about  a 
candidate  is  nothing  new. 

But  a  niche  business  has  cropped  up 
that  takes  that  a  step  further.  Websites  like 
Alibi  HQ  and  CareerExcuse.com  offer  fake 
reference  services  to  any  job-seeker  whose 
credentials  and  references  don’t  stand  up  on 
their  own.  And  they’re  cashing  in. 

That’s  bad  news  for  hiring  managers, 
according  to  Jeff  Wizceb,  a  vice  president 
with  HR  Plus,  a  division  of  AlliedBarton 
Security  Services  that  provides  background 
screening  services. 

“You  basically  sign  up  and  create  your 
own  company  that  you  want  to  have  worked 
at  or  create  a  position  at  a  legitimate  com¬ 
pany,”  said  Wizceb.  “You  plug  in  references, 
position,  salary,  all  that  information,  and 
if  an  employer  were  to  call  the  number  you 
provided,  these  sites  will  pose  as  a  reference 
and  it  would  be  basically  this  fake  company 
that  would  ‘verify’  the  information.” 

And  these  sites  are  doing  big  business. 
One  such  service,  CareerExcuse.com,  is 


no  longer  taking  new  clients  because  of  an 
overabundance  of  work.  And  with  this  kind 
of  deception  available  to  anyone,  companies 
checking  backgrounds  and  references  can’t 
be  any  more  sure  that  a  candidate  previously 
spent  time  as  a  vice  president  of  operations 
than  as  an  inmate  of  cell  block  nine. 

“I  think  human  resources  departments 
may  realize  these  are  out  there,  but  they 
don't  realize  how  prevalent  it  is,”  said  Wiz¬ 
ceb.  “With  these  sites  turning  away  business, 
I  think  it  shows  people  are  using  these  ser¬ 
vices  a  lot  more  than  what  we  might  think.” 

Other  sites,  such  as  Alibi  HQ,  go  beyond 
just  job  background  services  to  also  offer 
fake  landlord  references  and  doctor’s  notes. 
Wizceb  chalks  the  sites’  popularity  up  to  the 
desperation  engendered  by  the  economy. 

“I’ve  been  in  this  business  for  13  years; 

I’ve  only  seen  these  sites  for  about  two  years. 
I  think  it’s  a  byproduct  of  the  economy.  As 
people  become  more  desperate  looking  for 
work,  and  with  fewer  jobs  to  apply  to,  these 
sites  pop  up  to  help  them  provide  reference 
information  that  helps  them  be  a  better 
candidate." 

Wizceb  offers  tips  for  folks  in  charge  of 
hiring: 

Ask  specific  questions:  If  someone  is 


lying,  they  tend  to  put  basic  information  on  a 
resume.  Simply  company  name  and  supervi¬ 
sor,  said  Wizceb. 

“If  you  can  think  beyond  the  application, 
and  ask  questions  that  go  beyond  what  is 
on  the  resume,  you  may  be  able  to  catch 
the  person  off-guard  to  get  a  feel  for  if  this 
person  is  being  honest,”  he  said. 

Wizceb  recommends  asking  for  details 
such  as  the  name  of  the  building  an  applicant 
worked  in  or  the  names  of  other  co-workers. 

Check  it  out  yourself:  Ignore  the 
information  on  the  resume  and  check  out  the 
company  yourself,  said  Wizceb.  Instead  of 
taking  what  the  candidate  says  at  face  value, 
Google  the  company  and  see  what  informa¬ 
tion  is  out  there. 

“If  I  look  up  ABC  Company,  and  nothing 
comes  up  in  Google,  that  should  obviously  be 
a  red  flag,”  said  Wizceb. 

Many  job-seekers  might  use  an  actual 
company  but  fabricate  their  employment 
or  position.  Wizceb  suggests  contacting  the 
company  directly  to  verify  if  the  reference 
listed  on  the  resume  is  an  actual  current  or 
former  employee,  as  the  candidate  claims.  A 
company  directory  can  be  a  good  resource 
for  this  kind  of  checking,  he  said. 

-Joan  Goodchild 


16  www.csoonline.com  April  2010 


Illustration  by  Esteban 


MARKETPLACE 


j  I  surf  x-rated  sites 
from  behind 
my  cubicle  walls 


i  pass 

company  secrets 
via  the  web 


I  shop  online 
all  afternoon 


I 

> 


I 

> 


Monitor  Employee  PC  &  Internet  Activity 

Spector  360  is  the  world's  first  monitoring  solution  that  makes  it 
easy  to  detect  inappropriate  employee  behavior.  At  the  touch  of  a 
button,  you  will  see  ALL  PC  &  Internet  activity  for  your  entire 
company  and  find  out  which  employees  are  working,  playing, 
doing  their  job  efficiently  or  putting  your  business  at  risk  by 
engaging  in  illicit  or  illegal  behavior. 


Spector  360  Records  ALL  Your  Employees' 


•  Emails  (Sent  and  Received) 

•  Chats  &  Instant  Messages 

•  Keystrokes  Typed 

•  Web  Sites  Visited 


•  Files  Saved  to  Removable  Media 

•  Google  &  Other  Online  Searches 

•  Network  Traffic 

and  much  more... 


Plus,  Spector  360  includes  a  powerful  screen  snapshot  recorder  that 
shows  you  in  exact  visual  detail  what  an  employee  does  every  step 
of  the  way. ..  think  of  it  as  a  surveillance  camera  for  your  office  PCs. 


m 


Spector  360  Dashboard 


Users  Spending  the  Most  Time  Surfing  Web  Sites 


2  3  4  5  6 

Active  Time  (HOURS) 

Q.  Criteria  ;  □  Settings  P  Events  J  Reports  » 


CHART  DATA 


More  than  built-in  50  charts  and  reports  allow  you 
to  quickly  and  easily  identify  your  top  achievers, 
productivity  wasters,  and  anyone  engaging  in 
inappropriate  or  potentially  damaging  conduct. 


SPECTOR  3GCf 


SPECTOR  360 

Monitoring,  Surveillance  and 
Investigation  Software 


PC  Magazine  Editors' Choice 

"Spector  360  is  the  most  mature 
surveillance  offering  for 
business  use." 


For  more  information,  visit: 

WatchWith360.com 

or  call  us  anytime 

1.877.288.5699 


See  results  within  24  hours  of  installing  Spector  360.. . 
we  guarantee  it!  Don't  just  take  our  word  for  it. 

Try  Spector  360  for  yourself  by  calling  1 .877.288.5699 
and  requesting  a  FREE  test  drive. 


Expect  to  See  Immediate  Results 


_ 


iviui  mutiny,  out  veiiicu  tut;  emu  n ivtr&uyemui  i  ouiiwctie; 


SPECTOR  360 


April  2010  www.csoonline.com  17 


righ's  reserved  PC  Magazine  Friitorf  Choice  Award  logo  is  a  trademark  of  Ziff  Davis  Publishing  Mowings  Inc.  IJ 


By  Mary  Braudel 


Hold  Everything! 

Well,  not  everything.  “Legal  hold”  software  helps  make 
smart  record  retention  decisions  in  this  litigious  era. 


• — - — ~ 


- — - — ~ — - — ■— — — — ~ ~ — ~~~ 


Legal  hold  software  is  intended 
to  help  companies  comply  with 
the  Federal  Rules  of  Civil  Pro¬ 
cedure  (FRCP),  which  require 
them  to  preserve  potentially 
relevant  information  when  litigation  can 
reasonably  be  anticipated.  Specifically,  it 
helps  businesses  satisfy  the  requirement 
to  send  written  legal  holds  to  identified 
individuals  and  take  ongoing  and  proactive 
steps  to  ensure  their  compliance. 

The  importance  of  doing  legal  hold 
correctly  was  driven  home  by  a  February 
2010  opinion  by  Judge  Shira  Scheindlin,  a 
thought  leader  in  e- discovery,  who  said  that 
a  finding  of  gross  negligence  could  be  sup¬ 
ported  if  companies  failed  to: 

■  Issue  a  written  litigation  hold. 

■  Identify  key  players  and  ensure  their 
electronic  and  paper  records  are 
preserved. 

■  Cease  deleting  e-mail  or  records  of  for¬ 
mer  employees  that  are  in  a  company’s 
possession,  custody  or  control. 

■  Preserve  backup  tapes  when  they  are 
the  sole  source  of  relevant  information 
or  when  they  relate  to  key  players,  if 
the  relevant  information  maintained 
by  those  players  is  not  obtainable  from 
readily  accessible  sources. 

As  the  law  becomes  more  defined,  com¬ 
panies  are  turning  to  automated  methods 
of  preserving  relevant  data  in  a  system- 
ized,  repeatable  and  defensible  manner 


that  eliminates  human  error,  allows  faster 
response  times  to  requests  and  decreases 
exposure  to  potential  sanctions.  “The  time- 
honored  approach  is  to  manually  issue 
written  notices  to  all  relevant  custodians, 
but  with  the  massive  data  explosion,  that’s 
a  very  difficult  thing  to  track,”  says  Deb 
Logan,  an  analyst  at  Gartner. 

Legal  hold  software  also  helps  bridge 


the  gap  between  IT  and  legal.  “IT  are  the 
ones  who  are  going  to  have  to  produce  the 
backup  tapes  or  e-mail  files,”  says  Christine 
Taylor,  an  analyst  at  Taneja  Group.  “But  IT 
is  rarely  told  or  consulted  or  given  a  hint 
that  there  might  be  a  legal  case.” 

Market  drivers 

While  many  companies  do  not  use  auto- 


18  www.csoonline.com  April  2010 


Illustration  by  Jason  Schneider 


mated  legal  hold  software  today,  the  number 
that  does  use  it  is  expected  to  rise  as  litiga¬ 
tion  frequency  and  data  volumes  increase. 
For  instance,  in  a  recent  survey  by  Forrester 
and  ARMA  International,  less  than  half 
(48%)  of  the  400  records-management  deci¬ 
sion  makers  surveyed  said  their  records- 
management  solution  supports  legal  hold 
natively  or  through  a  third-party  integration. 
More  than  half  said  their  application  doesn’t 
support  legal  hold,  that  they  don’t  know  if  it 
does,  or  that  it  does,  but  those  capabilities 
aren’t  currently  being  used. 

This  represents  considerable  legal 
exposure,  according  to  the  report.  “In  con¬ 
junction  with  legal,  IT  and  other  stakehold¬ 
ers,  it’s  essential  to  implement  and  improve 
legal  hold  procedures,”  the  report  said. 

According  to  Kazeon  (now  an  EMC  sub¬ 
sidiary),  an  average  Global  2000  company 
is  dealing  with  143  concurrent  lawsuits,  and 
the  average  midsize-to-large  company  han¬ 
dles  over  20  ongoing  suits  at  any  given  time. 
Taylor  says  companies  that  see  20  matters  a 
year  are  roughly  the  size  at  which  legal  hold 
software  starts  to  be  necessary. 

But  that  doesn’t  mean  companies  are 
pulling  out  their  wallets.  A  2009  survey  by 
IDC  says  that  among  the  most  litigious  and 
highly  regulated  industries,  average  data 
collection  volumes  per  matter  are  rising; 
however,  corporate  e-discovery  technol¬ 
ogy  budgets  are  flat  or  declining.  The  early 
results  of  the  2010  study  suggest  a  slight 
improvement  in  budgets,  according  to  IDC, 
but  litigants  will  continue  to  highly  value 
cost  efficiencies. 

Market  evolution 

According  to  Exterro,  which  sells  Fusion 
legal  hold  software,  these  are  the  five  steps 
to  creating  defensible  legal  holds: 

1.  Select  custodians  and  data  stewards. 

2.  Send  notices,  using  preformatted, 
configurable  template  notices  to  pro¬ 
vide  total  defensibility. 

3.  Track  responses,  including  time  and 
date  stamps. 

4.  Send  automated  reminders  and  esca¬ 
lations  to  nonresponsive  custodians. 

5.  Release  the  hold  to  lift  the  preserva¬ 
tion  obligation. 

Legal  hold  offerings  can  provide  capa¬ 
bilities  beyond  these  five  essentials  through 
integration  with  third  parties,  the  vendor’s 
own  suite  or  on  their  own.  Extended  capa¬ 


bilities  include  identification  of  relevant 
information,  data  preservation  in  place  or 
in  a  repository,  data  collection,  data  map¬ 
ping,  and  litigation  lifecycle  management. 

Katey  Wood,  research  associate  at  451 
Group,  an  independent  industry  analyst 
firm,  says  there  are  two  types  of  legal  hold 
products: 

■  E-mail-driven  systems  that  provide 
workflow  for  creating  and  tracking 
custodian  notifications.  This  type  is 
best  represented  by  PSS  Systems’  Atlas 
and  Exterro’s  Fusion.  This  market 

is  commoditizing,  she  says,  leading 
these  vendors  to  branch  into  discovery 
management/information  governance 
in  PSS’s  case  and  project  management 
and  data  mapping  in  Exterro’s,  she  says. 

■  Systems  that  go  beyond  notification 
can  enforce  data  preservation  by 
securing  the  documents  to  prevent 
spoliation,  either  through  collection  to 
a  separate  repository  or  by  manag¬ 
ing  them  in  place.  This  type  is  best 
represented  by  Autonomy,  Kazeon, 
StoredlQ  and  Recommind,  she  says. 
Furthermore,  Wood  says,  legal  hold 

enforcement  features  are  increasingly 
being  folded  into  information  governance 
systems  and  archives,  litigation  response 
platforms  and  early  case  assessment  tools. 

Most  archiving  and  records-manage¬ 
ment  systems  also  have  some  type  of  legal 
hold  capabilities,  says  Brian  Hill,  senior 
analyst  at  Forrester  Research.  However, 
these  work  only  within  the  archive  or 
records-management  system  itself.  “That’s 
where  legal  hold  software  comes  into  play, 
to  help  tie  these  applications  together  more 
effectively,”  he  says. 

Logan,  however,  says  she  has  yet  to  see 
a  client  use  legal  hold  software  to  collect 
or  preserve  data  from  numerous  sources. 
She  advises  clients  to  at  the  very  least  get 
a  file-  or  e-mail-archiving  system  or  a 
records-management  system  with  legal 
hold  functionality,  such  as  from  Symantec, 
Mimosa  Systems  or  EMC.  While  it  doesn’t 
solve  the  whole  problem— for  example, 
these  systems  don’t  collect  data  from  desk¬ 
tops,  laptops  and  other  systems— “it  takes 
away  a  big  part  of  the  problem,”  she  says. 

The  latest  development  is  vendors 
introducing  software-as-a-service-based, 
pay-as-you-go  legal  hold  offerings.  Cloud- 
based  introductions  in  February  included 


Zapproved’s  Legal  Hold  Pro,  CaseGuard 
Technologies’  HoldIT  and  Exterro’s  Cloud 
Fusion.  These  systems  will  appeal  to  cost- 
sensitive  companies  that  are  willing  to  per¬ 
form  the  legal  hold  function  themselves  but 
don’t  want  to  pay  licensing  fees,  Wood  says. 

Available  features 

Here’s  a  sample  of  the  range  of  features 
offered  in  legal  hold  software,  according  to 
listings  on  vendor  websites: 

Identification:  Capabilities  include  the 
ability  to  search  out  and  identify  custodi¬ 
ans  by  a  number  of  attributes,  such  as  their 
responsibilities  for  records  and  IT  systems 
or  involvement  in  the  issue  in  dispute;  to 
copy  custodian  lists  from  existing  matters 
to  accelerate  and  improve  the  process  of 
defining  the  scope  of  the  hold;  and  to  pro¬ 
vide  an  organizational  view  of  employees, 
data  sources  and  departmental  structure. 

Notification  management:  Sends  auto¬ 
matic,  periodic  reminders  to  custodians,  as 
well  as  escalation  notices  for  nonresponsive 
custodians.  Tracks  acknowledgments  with 
time  and  date  stamps. 

Interviewing:  Enables  legal  staff  to 
conduct  consistent  and  far-reaching  custo¬ 
dian  interviews  online  to  ensure  the  scope 
of  holds  and  collections  is  sufficient  but  not 
over-broad. 

Templates:  Creates  consistency  in 
legal  hold  messaging  and  efficiency  in  legal 
hold  processes. 

Preservation  in  place:  Enables  imme¬ 
diate  lockdown  during  early  assessments 
and  in-place  analysis  before  deciding  to 
collect  information.  Prevents  users  from 
modifying,  deleting  or  moving  data  while 
giving  designated  users  read-only  access  in 
order  to  facilitate  daily  operations. 

Copy  and  move:  Collects  data  from  a 
variety  of  sources— includinge-mail  systems 
and  archives,  file  shares,  enterprise  content 
systems,  social  networks,  portals,  laptops 
and  desktops— and  moves  it  to  a  repository 
for  relevant  material  preservation. 

Forensically  sound  collections: 
Ensures  meta-data  preservation  and  per¬ 
mits  full-disk  imaging.  Performs  a  data 
integrity  and  verification  test  to  ensure 
chain-of-evidence  preservation. 

Activity  logs  and  reports:  Produces 
audit  trails  that  automatically  record  event 
and  user  history  to  deliver  comprehensive 
reports.  Exports  matter,  legal  hold,  secu- 


April  2010  www.csoonline.com  19 


>>  TOOLBOX 


rity  and  audit  trail  data  to  Excel  and  similar 
applications  using  comprehensive  report¬ 
ing  capabilities. 

Data  mapping:  Automatically  builds, 
updates  and  maintains  custodial  data  maps. 

Hold  release:  Automatically  enacts 
hold  releases  to  ensure  routine  disposal 
resumes  and  prevent  over-preservation. 

Connectivity  with  end-to-end  e-dis¬ 
covery  systems:  Links  with  systems  that 
perform  early  case  assessment,  review,  anal¬ 
ysis,  production,  data  preservation,  foren¬ 
sics,  information  management,  and  so  on. 

Integration  with  existing  enterprise 
systems:  Connects  to  HR,  storage,  e-mail 
archives,  content  repositories,  file  shares, 
content  management  systems,  retention 
platforms,  document  management  systems, 
directory  services,  legal  review  systems 
and  archive  media. 

Flexible  deployment  options:  Abil¬ 
ity  to  run  on  appliances,  laptops  or  servers, 
or  enable  collections  to  be  held  locally  or 
remotely  in  a  secure  cloud  environment. 

Evaluation  criteria 

When  Dan  Klinger,  who  leads  information 
security  efforts  at  Hershey,  went  looking 
for  a  legal  hold  system,  he  wanted  some¬ 
thing  cost-effective  and  delivered  by  a 
market-leading  vendor  that  could  provide 
exceptional  support.  He  eventually  chose 
Exterro’s  Fusion  Legal  Hold.  Other  factors 
he  took  into  account  in  his  search  included: 

High  defensibility:  Klinger  valued  the 
ability  to  provide  exportable  audit  trails, 
change  histories  and  login  reports  to  build 
defensibility. 

Intuitive  usability:  Wizards  and  work- 
flows  ensure  quick  uptake  but  also  enforce 
compliance,  Klinger  says.  “Each  step  is 
contingent  upon  successful  and  correct 
completion  of  the  previous  step,”  he  says. 

Feature-rich:  He  considered  features 
such  as  reporting,  escalation  and  HR  inte¬ 
gration  essential.  Real-time  HR  integration 
is  important,  Klinger  says,  because  when  a 
legal  hold-triggering  activity  occurs,  it’s  crit¬ 
ical  to  be  able  to  scope  custodians  quickly 
and  accurately.  “It  ensures  we  always  issue 
the  legal  hold  notification  to  the  right  people, 
regardless  of  changes  in  title,  department 
or  employment  status,”  he  says.  Reporting 
needs  can  include  audit  trails,  change  his¬ 
tory  reports,  acknowledgement  receipts 
and  tracked  communication  between  the 


legal  team  and  custodians.  “These  are  all 
critical  reports  for  building  defensibility  for 
any  litigation  activity,”  he  says. 

Dos  and  don’ts 

DO  consider  integration  with  a  collec¬ 
tion  and  processing  system.  According 
to  Guidance  Software,  which  sells  EnCase 
Legal  Hold,  many  current  litigation  hold 
solutions  do  not  provide  an  integrated 
technical  means  to  systematically  collect 
and  process  data  from  custodians  subject 
to  litigation  holds.  These  systems,  Guid¬ 
ance  says,  merely  send  and  track  e-mails 
to  custodians,  often  while  promoting  cus¬ 
todian  self-collection,  which  has  drawn 
harsh  scrutiny  from  the  courts  and  pres¬ 
ents  risks  such  as  noncompliance,  under- 
or  over-collection,  meta-data  alteration  or 
spoliation,  inadequate  chain-of-custody 
documentation,  authentication  challenges 
and  business  disruption. 

For  a  higher  degree  of  risk  protection. 
Guidance  and  others  argue,  it’s  best  to  con¬ 
sider  a  system  that  comes  with  the  native 
ability  to  track  and  report  on  the  collec¬ 
tion  and  processing  of  data,  or  that  tightly 
integrates  with  other  e-discovery  systems 
that  can  do  so.  In  Guidance’s  case,  users 
can  issue  litigation  holds,  interview  custo¬ 
dians,  monitor  compliance  with  the  holds 
and  track  the  progress  of  collection  and 
processing  of  potentially  relevant  data,  all 
in  a  single  case  database. 

Autonomy’s  sales  pitch  emphasizes  the 
system’s  additional  features,  such  as  auto¬ 
mated  data  identification,  preservation  and 
collection  with  notification  and  interview 
management,  and  the  ability  to  automati¬ 
cally  suggest  custodians  and  data  sources. 

Meanwhile,  Kazeon  says  it  integrates 
seamlessly  with  retention  providers  such  as 
NetApp’s  SnapLock,  Data  Domain’s  Reten¬ 
tion  Lock  and  Symantec’s  Enterprise  Vault. 
According  to  Kazeon,  this  feature  provides 
extensive  defensibility  and  auditability  for 
e-discovery  by  ensuring  no  spoliation  of 
data  and  no  modifications  of  meta-data. 

DO  look  for  a  system  that  inte¬ 
grates  with  your  e-discovery  processes. 
At  Hershey,  Klinger  wanted  a  system  that 
acts  as  an  extension  of  the  company’s 
e-discovery  program.  Exterro’s  Fusion,  he 
says,  automates  and  streamlines  Hershey’s 
e-discovery  process,  and  provides  critical 
integrations  with  data  lockdown  solutions 


that  search,  crawl  and  archive  information. 

DO  consider  in-place  functionality. 
Systems  such  as  Kazeon’s  KazHold  and 
Autonomy’s  Aungate  provide  both  a  copy- 
and-move  function  and  another  called  in- 
place  legal  hold,  which  locks  data  where 
it  resides  on  the  network  and  modifies 
file  permissions  so  that  only  the  legal  hold 
owner  has  access.  Users  that  had  permis¬ 
sion  to  access  the  file  previously  will  still  be 
able  to  read  it,  but  not  destroy  it. 

This  feature,  Kazeon  says,  delivers  early 
assessment  capability  while  avoiding  col¬ 
lection  challenges.  It  allows  corporations  to 
quickly  freeze  information  in  place  for  ini¬ 
tial  assessment,  then  copy  and  move  only 
what’s  relevant,  saving  network  bandwidth, 
processing  time  and  storage  expense. 

The  alternative  is  the  system  making 
a  copy  of  the  document  and  moving  it  to 
a  secure  storage  system.  After  the  move,  a 
data  integrity  and  verification  test  is  per¬ 
formed  to  ensure  data  integrity  and  chain- 
of-evidence  preservation. 

The  downside,  Logan  says,  is  user  incon¬ 
venience.  “They  go  to  their  desktop— their 
most  personal  place— and  find  they  can’t 
open  a  file.  It  just  doesn’t  make  sense— it’s 
a  total  user  no-no,”  she  says. 

DON’T  overlook  the  biggest  dis¬ 
covery  risks.  According  to  PSS  Systems, 
it’s  important  to  find  a  legal  hold  system 
that  can  help  you  overcome  the  Big  7  dis¬ 
covery  risks: 

1.  Failure  to  identify  the  right  custodians. 

2.  Missing  rogue  or  employee-managed 
data  sources  in  hold  or  collection. 

3.  Missing  data  when  an  employee  trans¬ 
fers  or  departs. 

4.  Retiring  or  modifying  data  on  hold. 

5.  Failure  to  follow  through  on  data 
identified  in  interview  process. 

6.  Overlooking  or  mishandling  data  in 
collection. 

7.  Inability  to  assemble  or  defend  the 
discovery  audit  trail. 

DO  look  at  the  vendor’s  road  map. 
The  legal  hold  software  market  is  in  a  state 
of  evolution.  For  that  reason,  Klinger  says, 
it’s  important  to  be  familiar  and  comfort¬ 
able  with  the  chosen  vendor’s  road  map.  In 
the  case  of  Exterro,  his  team  liked  the  fact 
that  the  vendor’s  e-discovery  offerings  were 
more  than  just  a  point  solution.  In  addition 
to  Fusion  Legal  Hold,  Hershey  plans  to 
implement  Exterro’s  entire  enterprise  solu- 


20  www.csoonline.com  April  2010 


A  Sampling  of  Legal  Hold 
Software  Systems 


VENDOR 

PRODUCT 

COMMENTS 

MAIN  COMPETITORS** 

Kazeon 
(an  EMC 
subsidiary) 

KazHold 

Started  as  a  data  classification  vendor,  then  turned  to  e-discovery.*  EMC  also  provides 
an  archiving  system  and  additional  e-discovery  management  modules,  including  early 
case  assessment  and  processing.**  Through  the  SourceOne  brand,  EMC  will  offer  an 
information  governance  system  with  policy-based  management.  A  differentiator  for 
KazHold  is  the  ability  to  do  in-place  preservation.* 

Autonomy,  StoredlQ, 
Recommind* 

Guidance 

EnCase  Legal 

Hold 

'  ’ 

This  litigation  hold-tracking  module  integrates  with  EnCase  eDiscovery  (used  for  data 
mapping,  identification,  preservation,  collection,  processing  and  producing  load  files 
for  review  platforms).  Guidance  is  one  of  the  only  major  public  software  companies 
prominent  in  e-discovery,  and  its  products  are  well  known  to  law  enforcement  officials 
and  courts.** 

Autonomy,  Kazeon  and 

StoredlQ 

Exterro 

Fusion  Legal 

Hold 

This  module  of  Exterro’s  platform  is  a  legal  hold  workflow/notification/tracking  tool 
marketed  mainly  to  large  enterprises.  Exterro  also  sells  a  SaaS-based  product  for  law 
firms  to  conduct  legal  holds  for  clients.  It  has  branched  out  into  data  mapping  and 
project  management  for  integrating  point  tools  and  coordinating  workflow  of  the 
e-discovery  process.  Its  next  step  will  be  moving  all  its  modules  to  the  SaaS  platform.* 

PSS  Systems 

PSS  Systems 

Atlas  Suite 

One  of  the  first  to  offer  a  workflow/notification/tracking  system,  Atlas  is  aimed  at 
large  enterprise  accounts.  It  is  moving  toward  becoming  a  discovery  management  and 
information  governance  data  disposition  platform.*  PSS  has  begun  to  partner  with 
collection  vendors  and  Atlas  integrates  with  repositories  that  allow  holds  to  be  placed 
directly  in  the  repository.** 

Exterro 

Autonomy 

Aungate,  Zantaz 

. 

.  i 

The  Zantaz  appliance  will  likely  appeal  to  mid-market  customers  who  want  plug-and- 
play  capability,  with  the  ability  to  secure  data  and  perform  early  case  assessment.  It 
also  enables  in-place  preservation.  Aungate,  marketed  to  large  enterprises,  is  part  of 
a  suite  that  includes  identification  and  data  mapping,  notification  workflow,  informa¬ 
tion  management,  processing,  review,  analysis  and  production.*  Autonomy  offers  an 
unmatched  range  of  connectors  to  data  sources  and  the  ability  to  search  audio  and 
video.  Available  on  demand  and  on  premises.** 

PSS  Systems,  Guidance 
Software,  StoredlQ.** 

Also  Kazeon,  as  both  sell 
archive-based  information 
governance  and  legal  hold 
separately,  and  Recommind, 
as  both  sell  early  case  assess¬ 
ment  features  with  legal  hold.* 

Stored  IQ 

Intelligent 

Information 

Management 

Started  in  the  data  classification  market  but  later  turned  to  e-discovery.*  Performs 
identification,  preservation  and  collection,  with  processing,  review  and  analysis  fea¬ 
tures.  Its  background  in  search  makes  it  a  good  choice  for  clients  looking  for  flexible, 
powerful  identification,  collection,  litigation  hold  and  early  case  assessment.** 

Autonomy,  AccessData, 
Guidance  Software  and 

Kazeon 

Recommind 

InSite  Legal  Hold 

Provides  good  features  for  monitoring,  reporting  chain  of  custody,  auto-update  and 
early  case  assessment.  Available  direct,  and  also  partners  to  provide  e-discovery 
capabilities  in  Open  Text  ECM  software.*  Other  e-discovery  capabilities  include  iden¬ 
tification,  preservation,  collection,  processing,  review,  analysis  and  production.  Its 
analysis  features-auto-categorization,  conceptual  search  and  entity  extraction-are 
important  differentiators.** 

Autonomy,  as  both  offer  early 
case  assessment  and  legal 
hold  in  one  product,  and 
Guidance,  Kazeon,  StoredlQ* 

Zapproved 

Legal  Hold  Pro 

A  SaaS-based,  pay-as-you-go  notification  service  that  charges  per  matter,  by 
custodian,  starting  at  $150  per  month.* 

‘Source:  451  Group  “Source:  Gartner 


tion  suite.  “Next  up,  we  will  be  implement¬ 
ing  their  discovery  workflow  management 
module,  and  we’ll  begin  using  Genome, 
their  automated  data-mapping  solution,” 
he  says.  He  particularly  likes  that  Exterro’s 
road  map  is  focused  on  the  legal  industry. 
“It’s  clear  that  they  understand  the  chal¬ 
lenges  faced  in  the  legal  industry  and  are 
committed  to  providing  software  that  can 
deliver  real  benefits  in  cost  and  time  sav¬ 
ings,”  he  says. 

DO  consider  the  cloud.  According 
to  Wood,  the  market  for  e-mail-  and  work- 
flow-based  hold  notification  is  commod¬ 
itizing,  especially  with  the  arrival  of  SaaS 
self-service  systems.  Enterprises  willing 
to  pay  $250,000  for  on-premise  licenses  are 
becoming  scarce,  she  says,  and  midmarket 
companies  want  more  aggressive  pricing 


and  more  convenience.  “That’s  why  vendors 
like  Exterro  and  PSS  have  been  diversifying, 
to  capture  more  of  the  market,”  she  says. 

Zapproved  Legal  Hold  Pro  starts  at 
$150  per  month,  and  price  is  based  on  the 
number  of  matters  per  custodian.  IDC  says 
this  will  appeal  to  corporate  litigants  with 
small  or  one-off  legal  matters  because  of  its 
simple  pricing  model  and  ease  of  deploy¬ 
ment.  Exterro’s  Cloud  Fusion  targets  law 
firms,  charging  them  on  a  per-matter,  per- 
client  basis,  Wood  says.  “It’s  a  good  way  to 
reach  enterprise  companies  who  have  no 
intention  of  purchasing  legal  hold  at  all  on 
their  own,  and  opens  up  Exterro’s  market 
to  a  law  firm  customer  base,”  she  says. 

Although  the  cloud  is  appealing,  Wood 
says  some  users  may  hesitate  to  store  legal 
data  there.  “It  can  be  a  tough  sell  because  of 


the  legal  sector  concerns  about  security  and 
access,  but  I  think  e-discovery  is  inevitably 
going  in  that  direction,  even  if  the  purchas¬ 
ing  decision  is  more  cost-driven  than  due  to 
acceptance  of  the  risks,”  she  says. 

DO  consider  early  case  assessment. 
Providers  of  legal  hold  software  are  busy 
moving  to  what  Taylor  calls  the  right-hand 
side  of  the  Electronic  Discovery  Reference 
Model,  particularly  adding  analytics  capa¬ 
bilities  for  early  case  assessment.  “This  is 
a  way  for  lawyers  to  quickly  analyze  large 
groups  of  documents  early  in  the  process, 
to  get  a  good  strategy  going  and  to  cut  down 
the  size  of  the  data  set,”  she  says.  ■ 


Mary  Brandel  is  a  frequent  contributor 
to  CSO.  Send  feedback  to  Editor  Derek  Slater 
at  dslater@cxo.com. 


April  2010  www.csoonline.com  21 


COVER  STORY  I  LEADERSHIP 


The  Art  and  Science 
ofLeadership 


The  2010 
Compass 
Award  winners 

provide  critical 
lessons  in 
integrating 
security  with  the 
business  mission 

BY  BILL  BRANDEL 


22  www.csoonline.com  April  2010 


Roland  Cloutier 

CSO  and  Corporate  Vice  President,  ADP 


EVERY  DAY  OF  every  week,  millions  of  employees  throughout  the 
United  States  and  around  the  world  receive  their  paychecks— whether 
through  direct  deposit  or  as  a  live  check  and  stub— through  ADR  For 
years,  the  company  has  been  a  trusted  outsourced  business  provider— so 
much  so  that  it  is  a  critical  cog  in  the  national  economic  machine.  With  the 
stakes  so  high,  it  is  Roland  Cloutier  who  has  been  tasked  with  ensuring 
the  security  of  this  global  operation  and  making  it  run  smoothly. 

How  would  you  size  up  the  security  task  you’re  charged  with  at  ADP? 
From  a  security  practitioner  standpoint,  ADP  is  a  big  target.  It  pays  a 
quarter  of  the  U.S.  workforce.  We  float  north  of  a  trillion  dollars  every 
year.  We  have  to  ensure  that  millions  of  checks  are  cut  and  delivered  to 
people  around  the  globe.  That  is  a  huge  challenge.  Business  resilience  is 
the  single  key  objective  I  have  as  CSO. 

what  is  the  key  driver  to  implementing  a  global  security  strategy? 

We  have  to  ensure  that  there  is  a  well -developed  risk  framework  that 
works  across  the  entire  organization.  At  the  same  time,  we  have  to  look 
at  the  service  levels  required  in  any  specific  segment,  and  what  those  risk 
levels  are  and  how  do  we  apply  which  services  and  articulate  controls, 
and  what  metrics  and  key  performance  indicators  (KPI)  do  we  use  to 
ensure  that  they  are  effective. 

What  do  you  consider  the  most  difficult  or  rewarding  accomplishment 
of  your  career?  At  a  previous  company,  I  used  to  work  with  this  hard-core 
sales  executive  who  couldn’t  have  cared  less  about  security.  After  four 
years  of  my  rolling  out  programs  and  a  security  organization,  I  get  a  call 
from  this  guy,  and  he  says,  “Roland,  I’m  about  to  pitch  an  idea  to  my  team 
for  manufacturing  stuff  in  an  Asian  country.  Talk  to  me  about  security 
and  the  threat  perspective  and  how  we  could  manage  risk  in  that  environ¬ 
ment.”  His  first  call  was  to  ask  the  CSO,  “Could  we  do  this?”  It  was  the 
first  time  that  a  senior  business  executive  showed  me  that  he  understood 
that  security  was  simply  part  of  doing  business. 

Can  you  name  one  of  the  biggest  mistakes  you’ve  made  during  your 
security  career  and  what  you  learned  from  it?  I  made  two,  actually.  One 


Photo  left  by  Getty  Images;  right  by  Peter  Murphy 


“In  my  first  accounts 
receivable  organization...they 
made  me  train  in  every  aspect 
of  the  business: 
the  mail  room, 

collections  floor,  * 

posting,  finance,  IT  1 

staff,  reception^  w  u 

It’s  humbling. 

And  valuable  "JV  Hi 


J 


. 


was  that  I  assumed— I  thought— people 
were  executing  and  were  being  held 
accountable.  It  wasn’t  until  I  put  that  work 
into  a  lifecycle  approach  that  I  realized 
that  I  actually  had  a  problem.  Thankfully, 
it  was  mitigated  before  it  could  become  a 
big  problem.  Now,  the  lifecycle  approach 
is  very  big  with  me,  to  have  the  governance 
and  oversight  of  what  we  are  accountable 
for.  It  will  never  happen  again. 

The  other  mistake  was  with  commu¬ 
nication.  We  can  get  so  busy  in  developing 
our  organization  that  we  fail  to  commu¬ 
nicate  with  our  own  team  or  with  clients 
internally  or  externally.  In  fact,  you  have 
to  constantly  reset  your  communication 
strategy.  It’s  a  fundamental  part  of  doing 
business  today.  Every  day  I  wake  up  and 
think  about  how  I  am  going  to  communi¬ 
cate  today  and  measure  accountability. 

What  are  two  things  about  security  or 
security  leadership  you  wish  you’d  known 
10  years  ago?  More  often  than  not,  that 
the  people  we  support  are  looking  for  an 
answer.  They  want  us  to  say:  Here  is  your 
problem,  this  is  why  it  is  a  problem  for  you, 
and  here  is  how  I  suggest  that  you  remedy 
that  problem.  I  wish  I  had  known  that  10 
years  earlier.  Before,  I  had  always  assumed 
that  we  were  being  requested  to  do  things, 
and  would  respond  with,  “What  do  you 
want  to  do?” 

It’s  also  very  important  to  have  busi¬ 
ness  acumen.  I  was  fortunate  enough  to 
work  for  one  of  the  smartest  CFOs  in  the 
industry.  It  provided  me  with  a  financial 
perspective  on  how  you  can  genuinely 
affect  the  organization.  You  really  need  to 
know  the  details  of  financial  knowledge 
to  truly  understand  how  your  security 
practices  impact  an  organization. 

How  has  the  current  economy  affected 
security?  It  has  not  presented  threats  on 
the  physical  side,  but  on  the  cyber  side, 
fraud  issues  have  increased  dramatically. 
Phishing  schemes  are  up  10-12  times  over 
the  last  year.  You  see  people  who  leave 
their  organizations  and  are  taking  trade 
secrets  to  other  businesses.  The  economy 
has  had  an  impact. 

When  it  comes  to  business  stakehold¬ 
ers,  what  is  their  most  dangerous  misun¬ 
derstanding  about  security?  That  anything 
that  you  do  in  security  is  a  one-time  fix. 
People  think,  “Something  was  a  problem, 
but  the  security  guys  fixed  it.”  Often,  secu¬ 


rity  practitioners  themselves  rest  on  their 
laurels  for  a  variety  of  reasons  and  become 
complacent  in  measuring  the  actual  out¬ 
come  of  their  efforts.  We  end  up  forgetting 
to  look  at  lifecycles  or  KPIs  or  what  we  had 
committed  to  in  terms  of  security.  This  is 
where  security  professionals  have  to  com¬ 
municate  that  security  is  a  moving  target. 
Bad  guys  will  change  the  strategy  and  the 
technology  they  use.  We  have  to  remember 
that  security  is  a  living,  breathing  part  of 
the  business  fabric. 


Erin  Jacobs 

CSO,  United  Collection  Bureau 


MANY  CSOs  MIGHT  prefer  that  the 
issues  raised  by  Facebook,  Twitter  and 
blogs  just  go  away.  Not  United  Collec¬ 
tions  Bureau  CSO  Erin  Jacobs.  She  has 
embraced  social  networking  to  create  her 
own  forum  for  pushing  the  boundaries  on 
the  matters  she  holds  dear:  security,  Mac 


24  www.csoonline.com  April  2010 


Photo  by  Shannon  McIntyre 


mm 


•  **»  7.  V* 

■  •  •  '  V.  . 

■  .■  ■>  V  V 

••  •  •••.•  .V  '\  •  .v.:n 

:  fn  i  ; 


COVER  STORY  I  LEADERSHIP 


?  **■%? 


OS  X  and  gender  issues  in  information 
security.  Not  your  average  CSO,  Jacobs  has 
cultivated  an  online  presence  using  the 
handle  SecBarbie  ( www.secsocial.com/blog ). 

Why  did  you  start  the  SecBarbie  blog? 
When  it  started  in  ’05,  it  was  about  security 
sociability.  I’d  blog  for  humor,  lightheart¬ 
edness,  post  about  things  that  amused  me. 

I  never  anticipated  any  sort  of  following 
or  readership.  It  is  a  space  where  I  discuss 
security  industry- related  challenges  I 
experience  in  my  workplace,  or  discuss 
vendors.  It  was  just  my  blog,  very  self- 
serving.  I  really  don’t  think  of  it  as  being  on 
some  high  horse  or  a  huge  pedestal. 

Often,  I  am  using  SecBarbie  to  just 
poke  fun  at  myself. 

Is  it  your  mission  to  raise  the  profile 
of  the  security  profession?  Actually,  I  am 
attempting  to  elevate  and  cultivate  gender 
awareness  in  this  industry.  There  are  fewer 
women  entering  the  computer  profession 
today  than  in  1980.  In  1980,  there  were  not 
nearly  as  many  career  choices  available  to 
women  as  there  are  today.  So  to  see  that 
number  go  down  is  concerning. 

Do  you  think  there  should  be  more 
women  working  as  security  professionals? 
I’m  not  sure  if  that  matters.  But  all  people 
should  have  the  same  opportunity.  Due  to 
the  way  we  are  weighted,  there  won’t  be  as 
many  C-level  women.  For  example, 

Apple  has  no  women  in  C-level 
management.  Is  Apple  not  welcom¬ 
ing?  Not  the  case.  We  simply  are  not 
keeping  women  engaged  in  regards 
to  what  is  available.  I  think  part  of 
it  is  that  we  are  doing  a  bad  job  of 
teaching  information  security  to 
(female)  teenagers. 

As  a  security  professional, 
does  your  own  use  of  social  media 
create  any  challenges  for  you? 

Social  media  is  giving  us  a  ton  more 
challenges  than  we  ever  expected. 

People  are  putting  all  this  info 
out  there.  For  safety  purposes— 
whether  it’s  for  a  teenager  or  an 
organization— it’s  all  the  same. 

What  is  out  there— all  of  it— will 
stick,  permanently.  Where  is  the 
dividing  line  between  what  you  do 
at  work  and  on  your  own  personal 
time,  and  where  is  the  jurisdiction 
for  that  in  an  organization? 

I  have  to  apply  those  guidelines 


to  my  own  use  of  social  media.  I  am  very 
careful  about  what  I  will  disclose  online. 
There  is  never  any  mention  of  my  family. 

In  fact,  I  actually  don’t  have  any  family 
members  on  my  Facebook  page.  This  is  a 
personal  safety  issue.  If  I’m  putting  myself 
out  there,  I  feel  there  needs  to  be  a  line 
between  public  and  private  life.  And  I’m 
a  tech  geek;  I  would  like  to  do  a  lot  more 
with  it  than  what  I  actually  do. 

How  has  your  work  in  collection  man¬ 
agement  shaped  your  approach  to  security 
management?  As  part  of  my  training  in 
my  first  accounts  receivable  organization,  I 
was  told  that  I  needed  to  understand  every 
working  part  of  the  business  to  under¬ 
stand  my  role  in  it.  So  they  made  me  train 
in  every  aspect  of  the  business:  The  mail 
room,  collections  floor,  posting,  finance, 

IT  staff,  reception.  I  worked  in  every  func¬ 
tioning  role.  It’s  humbling.  And  valuable. 

It  raises  awareness  of  what  your  role  is  in 
the  organization— manager  or  director,  IT 
or  IT  admin.  Too  often,  we  get  caught  in 
our  silos  and  forget  what  the  big  picture  is. 

Can  you  name  one  of  the  biggest  mis¬ 
takes  you’ve  made  during  your  security 
career  and  what  you  learned  from  if? 
Earlier  in  my  career,  I  had  concentrated 
too  much  energy  on  regulatory  compliance 
and  audit  control.  Yes,  it  is  a  driving  role 


g«J 


■4^ 


M 


ik. 


for  a  CSO  to  ensure  regulatory  compliance 
and  that  the  audit  is  passed  and  is  running 
smoothly,  but  that  is  not  the  real  and  whole 
world  of  security.  I  had  to  learn  to  priori¬ 
tize  risk  and  communicate  that  need  to 
my  peers  and  ensure  that  those  priorities 
are  not  dictated  by  audits.  It’s  a  mistake  to 
become  a  checklist  CSO,  rather  than  being 
focused  on  the  real  role,  which  is  to  focus 
on  the  risk  to  the  organization. 

What  principles  are  essential  to 
security  leadership?  A  degree  of  humility 
is  very  important.  You  need  to  remember 
where  you  came  from  and  what  it  is  like  to 
be  in  other  positions,  and  be  able  to  see  the 
world  through  those  eyes.  You  have  to  go 
to  facilities,  get  out  with  people  and  stay 
engaged  with  them  on  a  day-to-day  basis. 
You  have  to  understand  what  is  going  on. 

You  also  have  to  be  open-minded.  It  is 
important  to  remember  that  what  might 
have  been  right  in  one  moment  may  need 
to  be  revisited  at  another  time.  You  have 
to  evolve  as  a  security  professional.  You 
can’t  have  your  head  so  high  up  in  the 
clouds  that  you  don’t  recognize  when  new 
things— like  social  media,  for  example- 
are  evolving.  We  have  to  ensure  that  we 
stay  on  top  of  everything. 


Bruce 

Schneier 

Chief  Security 
Technology  Officer,  BT 

■EHBRBHRaBMiaEWiaiaKaR 

AS  AN  AUTHOR  of  books  on 
security,  the  influential  Crypto-Gram 
newsletter  and  the  blog  Schneier  on 
Security  ( www.schneier.com ),  as  well 
as  a  frequent  guest  on  TV  and  radio, 
Bruce  Schneier  has  become  some¬ 
thing  of  a  celebrity  in  the  world 
of  security:  He  may  be  the  only 
CSO  whose  likeness  is  used  to  sell 
T-shirts.  Still,  the  most  rewarding 
aspect  of  his  career,  as  he  conveyed 
in  this  interview  conducted  by 
e-mail,  is  that  he  believes  he  is  hav¬ 
ing  an  impact  on  people’s  thinking 
about  security. 

What  are  three  fail-proof  prin¬ 
ciples  of  security  leadership?  One, 


Photo  by  Steve  Niedorf 


April  2010  www.csoonline.com  25 


mm- 


tell  the  truth  as  you  see  it.  Two,  don’t  be 
afraid  to  change  your  mind.  Three,  be  pub¬ 
lic  when  you’ve  made  a  mistake  or  changed 
your  mind.  Note:  These  principles  might 
not  work  in  a  traditional  corporate  setting. 

What  are  two  things  about  security 
leadership  you  wish  you’d  known  10  years 
ago?  One,  economics  matters  a  lot.  Two, 
psychology  matters  even  more. 

What  does  psychology  have  to  do 
with  security?  Security  is  fundamentally 
about  people— people  as  attackers  as  well 
as  defenders— and  if  you  don’t  under¬ 
stand  the  people  you’ll  never  understand 
security.  It  affects  everything.  Take  an 
obvious  example:  terrorism.  Terrorism 
kills  approximately  no  one  in  the  United 
States  every  year,  and  automobiles  kill 
40,000  Americans  every  year.  That’s  more 
than  a  9/11’s  worth  of  deaths  each  and 
every  month.  Yet  where  do  we  spend  our 
money?  It’s  the  same  everywhere:  trying  to 
enhance  our  feeling  of  security,  sometimes 
by  enhancing  the  reality  of  security  and 
sometimes  by  implementing  security 
theater. 

What  this  means  is,  when  you  think 
about  a  security  system— as  a  de  veloper, 
as  a  buyer,  as  an  implementer  or  as  an 
attacker— you  need  to  understand  the  psy¬ 
chological  motivations  of  those  involved 
with  the  system.  If  you  don’t,  you’re  going 
to  get  it  wrong. 

what  will  be  the  next  big  topic  in  the 
security  field?  Transparency.  Transpar¬ 
ency  of  everything,  because  that’s  how  you 
know  what’s  actually  going  on.  So  much 
of  security  is  sold  and  implemented  on 
the  “trust  me”  paradigm.  Unfortunately, 
that  results  in  a  whole  lot  of  bad  security. 
So  it  will  be  transparency  about  threats, 
about  attacks,  about  losses,  about  product 
capabilities. 

What  is  the  most  over-hyped  topic  in 
the  security  field?  It’s  a  serious  problem 
with  our  industry.  Companies  emerge  sell¬ 
ing  one  thing:  firewalls,  public  key  infra¬ 
structure,  biometric  login,  or  whatever.  In 
order  for  them  to  convince  customers,  as 
many  as  possible,  to  buy  their  stuff,  they 
have  to  over-hype  it.  They  have  to  claim 
that  their  solution  is  the  one  solution 
everyone  needs.  Of  course  that’s  ridicu¬ 
lous-while  most  security  technologies 
have  some  value,  none  are  panaceas— but 
the  companies  can’t  help  themselves.  Of 


course,  this  leads  to  inevitable  disillusion¬ 
ment  of  customers  when  their  antivirus 
product  or  authentication  service  doesn’t 
magically  make  them  secure.  And,  sadly, 
we’ve  created  a  customer  base  that’s  pretty 
skeptical  of  new  security  technologies  or 
solutions. 

If  a  CSO  could  get  budget  approval  for 
one  security  investment,  what  should  it 

be?  An  analysis  to  determine  whether  his 
other  security  investments  are  worthwhile. 

What  is  business  stakeholders’  most 
dangerous  misunderstanding  about 
security?  That  security  matters  very  much. 
Security  is  almost  always  a  part  of  a  larger 
decision,  and  it’s  rarely  the  primary  driver 
of  that  decision.  It’s  true  for  large  decisions 
like  invading  Iraq,  and  it’s  true  for  small 
decisions  like  whether  the  CEO  gets  a 
BlackBerry  or  not.  Knowing  how  much 
security  actually  matters— and  it  invari¬ 
ably  matters  less  to  non-security  people— 
is  vital  to  understanding  and  influencing 
these  decisions. 

There  is  much  discussion  that  people 
who  commit  cyberfraud  or  cyberattacks 
are  growing  increasingly  sophisticated, 
and  that  this  practice  has  proliferated 
during  the  recession.  Do  you  agree?  Will 
this  recession  be  remembered  as  a  time 
when  cybercrime  evolved  to  the  next  level? 
Cyberattacks  have  continually  gotten 
more  sophisticated  over  the  past  decade. 

I  don’t  think  the  recession  is  causing  any 
additional  renaissance  in  sophistication. 
There’s  a  lot  more  money  in  cybercrime, 
and  it’s  gone  both  professional  and 
international. 

What  do  you  see  as  the  risk  potential 
of  social  media  for  most  organizations? 

This  is  a  complicated  question,  because 
every  answer  is  correct.  The  risk  of  using 
social  networking  sites  is  that  employees 
will  post  sensitive  corporate  information 
online.  The  risk  of  banning  them  is  that 
employees  will  not  come  work  for  you, 
because  you’re  a  Neanderthal  20th  century 
company.  Social  networking  sites  are  how 
people  socialize,  and  you  can’t  fight  the 
trend.  What  you  can  do  is  enforce  corpo¬ 
rate  confidentially  requirements  across  the 
board,  regardless  of  medium. 

Do  you  get  any  of  the  royalties  on  the 
sales  of  Bruce  Schneier  T-shirts?  Not  a 
penny.  If  I  weren’t  so  entertained  by  the 
whole  idea,  I  might  be  annoyed. 


AA,.,:  :■ 


W 


'  ■ 


k A’'/-1'  A;. 


'iy-Vu’U  '''-’A  A' 
"A  ■’  . 


fc-x&T  w 


ftagj&r  vUft. 


Alan  Nutes 

Security  Manager, 

City  of  Atlanta  Department 
of  Watershed  Management 

ig@t@i@se&s&s!B£Si!&ffi&iS(3sa!»iai8nisa 

LEADERSHIP  IS  ULTIMATELY  tested 
by  necessity,  and  its  most  successful  itera¬ 
tion  is  arrived  at  by  teamwork.  As  a  leader, 
Alan  Nutes  is  driven  by  the  imperative 
to  protect  a  large  American  city’s  water 
supply  while  under  relentless  municipal 
budget  pressure.  Working  with  city  gov¬ 
ernment,  Nutes  has  adopted  technological 
innovation  to  address  tough  problems, 
while  the  city  of  Atlanta  has  secured  fund¬ 
ing  to  protect  its  critical  infrastructure 
when  it  is  needed  most. 

How  is  your  security  challenge  unique? 
The  security  challenge  here  is  to  protect 
the  city’s  water  supply.  While  stakeholders 
were  aware  of  the  need  for  security,  it  was 
not  until  Homeland  Security  got  involved 
and  set  new  ground  rules  for  infrastruc¬ 
ture  that  we  had  to  do  certain  things.  To 
meet  those  new  rules,  the  Watershed  has 


26  www.csoonline.com  April  2010 


■ 


#*l  "•£ 

T  ■  ** 


f  wm 


“Most  people  still  consider  security 
a  cost  center.  The  fact  is,  there 
is  real  ROI  for  mitigating  risk 
and  reducing  security  issues.” 

-Alan  Nutes 

'  ■  *  '  /  *2Smm1SS 

;:v: ;  ■ 1  *5  , v  ^  W ■  f 


sR8sgasa8a#sssaB89KH«5 


it’s  often  security  that  gets  cut. 

With  the  economy  forcing  cities  and 
towns  to  cut  funding  for  programs,  how 
has  this  affected  the  watershed's  security 
efforts?  Atlanta  actually  adopted  a  city 
ordinance,  called  the  Water  and  Waste- 
water  Systems  Security  Surcharge,  where 
users  of  Atlanta  water  and  wastewater 
pay  IS  cents  per  100  cubic  feet  of  water. 

This  generates  something  like  $30  million, 
which  is  used  to  reduce  water  system 
vulnerabilities  and  to  fund  things  such  as: 
the  purchase  and  installation  of  security 
equipment;  security  improvements  to  elec¬ 
tronics  and  computer  and  automated  sys¬ 
tems;  participation  in  training  programs; 
and  screening  processes  for  employees  and 
contractor  support  services. 

These  funds  don’t  impact  the  operating 
or  capital  budget,  and  it  places  the  security 
function  in  a  position  where  we  don’t  have 
to  request  funding  from  the  city  council 
to  protect  the  infrastructure.  I  believe  that 
we’re  currently  the  only  city  that  is  fund¬ 
ing  infrastructure  security  this  way.  Now, 
other  cities  may  be  looking  at  this  option 
for  funding  their  security  initiatives. 

April  2010  www.csoonline.com  27 


could  not  be  located.  We  can  use  RFID 
to  track  assets  such  as  water  meters, 
generators,  saws  that  cut  concrete,  and  fire 
hydrant  components. 

Why  would  you  need  RFID  tags  on  fire 
hydrants?  Several  of  the  components  are 
made  of  brass.  Brass  has  become  a  valu¬ 
able  commodity  during  this  economic 
downturn.  With  barcoding  and  RFID,  we 
can  now  reduce  the  risk  of  losing  hydrants. 
We  expect  it  to  save  hundreds  of  thou¬ 
sands  of  dollars. 

We  implemented  a  pilot  program  in 
a  warehouse  that  stored  14,000  water 
meters,  valued  at  $2  million.  Not  one  is 
missing.  Without  the  use  of  barcodes,  I 
am  sure  that  many  would  not  be  located. 
We  are  now  also  implementing  a  project  to 
add  GPS  to  approximately  78,000  meters 
that  will  cover  1.2  million  customers  over  a 
650-square-mile  area. 

What  is  the  most  dangerous  mis¬ 
understanding  that  stakeholders  have 
about  security?  Most  people  still  consider 
security  a  cost  center.  The  fact  is,  there  is 
real  ROI  for  mitigating  risk  and  reducing 
security  issues.  Still,  when  there  are  cuts, 


enhanced  procedures  and  improved  edu¬ 
cation  of  it  stakeholders  and  the  employ¬ 
ees.  Many  of  the  employees  here  go  back  20 
to  30  years  with  the  city,  and  it  has  been  an 
enlightening  experience  to  educate  them 
about  the  importance  of  security. 

What  actions  have  you  taken  to  secure 
Atlanta's  water  supply?  There  are  adverse 
topographical  site  and  field  conditions. 

We  have  some  reservoirs  up  on  a  hill.  We 
also  have  facilities  that  lie  across  from  each 
other  on  the  Chattahoochee  River.  We 
needed  to  ensure  secure  data  transmis¬ 
sion  between  these  facilities.  It  would  have 
been  prohibitively  costly  to  run  circuits 
to  bridge  these  together.  Because  we  have 
good  line  of  sight  between  the  facilities, 
we  were  able  to  use  a  wireless  system  to 
connect  these  facilities.  We  are  using  our 
own  VPN,  instead  of  riding  on  the  city’s 
network.  The  use  of  the  wireless  aspects 
has  resulted  in  a  99.9%  up-time.  It  saves 
the  city  about  $5,000-6,000  per  month. 

How  are  you  using  RFID  at  the  Water¬ 
shed?  We  are  now  looking  at  the  use  of 
RFID  for  inventory  control.  Prior  to  this, 
some  assets  have  turned  up  missing  or 


Photo  by  Stan  Kaady 


ShHR 


f  ■ '  .• 


m  ■ 

W"  : 


COVER  STORY  I  LEADERSHIP 


Leslie  K. 
Lambert 

Former  CISO, 

Sun  Microsystems 


WITH  ALMOST  30  years’  experience  in 
information  technology,  Leslie  K.  Lambert 
has  made  her  mark  by  adhering  to  an 
ethos  of  using  technology  in  a  responsible 
manner.  Well  steeped  in  the  culture  of  Sun 
Microsystems,  she  has  long  been 
a  champion  of  transparency  and 
individuality.  A  respected  member 
of  the  Security  Executive  Council, 

Lambert  continues  to  provide  a 
clear-eyed  view  of  how  organi¬ 
zational  security  and  individual 
respect  can  coexist  in  the  face  of 
emerging  threats. 

What  was  one  of  the  most 
challenging  aspects  of  informa¬ 
tion  security  at  a  company  like  Sun 
Microsystems?  Sun’s  approach  to 
internal  business  execution  had 
evolved  over  the  last  seven  or  eight 
years;  we  dramatically  increased 
the  outsourcing  of  business  and 
operational  components.  In  the 
early  days,  when  we  first  out¬ 
sourced  manufacturing,  it  very 
often  only  involved  installing  a  direct 
secure  line  with  a  specific  manufacturer. 
As  we  expanded  into  this  new  model,  we 
grew  to  350  business  process  outsourc¬ 
ing  partners,  including  not  only  external 
manufacturing  and  logistics,  but  business 
processes  like  payroll,  handling  customer 
calls  for  external  and  internal  help  desk, 
human  resources,  and  staff  employees 
using  many  self-service  applications.  We 
had  moved  to  a  gigantic  partner  security 
model. 

How  do  you  manage  something  like 
that?  We  created  a  multi-level  technical 
architecture  to  manage  business  partner 
relationships  over  the  Internet.  What  level 
of  access  you  had  with  Sun’s  network  and 
data  was  determined  by  whether  you  were 
a  Sun  employee,  someone  from  the  outside 
using  our  applications,  whether  the  people 
and  systems  were  remote.  On  top  of  this, 
we  layered  a  risk  matrix  that  took  into 
account  the  nature  of  the  data  that  was 


going  back  and  forth,  and  how  critical 
or  sensitive  it  was  to  the  business.  This 
would  range  from  intellectual  property  or 
engineering  plans  being  sent  to  a  semicon¬ 
ductor  manufacturer  to  employees  using 
a  self-service  application  to  buy  office 
supplies  over  the  Web.  It  ranged  from 
very  risky  data  exchanges  to  just  buying 
pencils. 

Then,  on  top  of  that,  on  a  quarterly 
basis,  we  applied  an  ISO  27002-based 
audit  methodology  with  each  partner.  It 
was  very  complex  and  thorough. 


You  have  an  education  in  experimental 
psychology  and  experience  in  control- 
systems  design.  How  does  that  factor 
into  security  leadership?  The  areas  of 
experimental  psychology  that  I  focused  on 
covered  measurement,  evaluation,  tech¬ 
niques  of  experimental  research,  statistics 
and  data  analysis.  I  also  spent  several  prior 
years  doing  control-system  design.  The 
combination  of  that  with  my  analytical 
background  bred  a  process-oriented, 
structured  approach  to  things.  I  am,  by 
nature,  a  cool  head,  and  these  additional 
experiences  and  skills  provided  me  with  a 
steady  hand. 

What  are  two  things  about  security  or 
security  leadership  you  wish  you’d  known 
10  years  ago?  One  is  the  impact  of  this  new 
generation  of  kids  growing  up  online.  I 
didn’t  see  the  profound  impact  this  would 
have  on  who  we  would  be  working  with  or 
hiring,  and  who  we  would  be  protecting 
ourselves  against  around  the  world.  We 


are  dealing  with  an  evolved  type  of  behav¬ 
ior.  Ten  years  ago,  we  worried  about  script 
kiddie  attacks.  Those  kids  have  now  gone 
to  college,  and  their  skills  have  increased 
to  a  new  level  of  sophistication,  and  now 
they  want  to  make  money  doing  what  they 
do,  too! 

Another  thing  I  wish  I  had  anticipated 
was  how  concepts  of  organized  crime 
would  influence  computer  crime.  There 
are  sophisticated,  syndicated,  well-funded 
villains,  which  have  been  highlighted 
by  Google’s  recent  exposure  of  botnet 

attacks.  What  is  behind  this  is  not 
one  person,  but  organizations  that 
may  even  be  state- sponsored  in 
some  countries.  They’ve  deployed 
well-constructed  command-and- 
control  structures  on  the  Internet, 
which  are  bringing  large  numbers 
of  systems  and  victims  within  their 
reach. 

What  will  be  the  next  big  topic  in 
the  security  field?  Data  protection. 
What  data  is  most  critical?  How  do 
you  determine  where  the  data  sits? 
Maybe  you  don’t  put  your  data  in 
the  cloud.  How  do  you  lock  down 
systems,  servers  and  networks,  and 
how  do  you  deal  with  an  extremely 
mobile  workforce,  and  cloud  com¬ 
puting?  Do  we  have  different  com¬ 
ponents  of  transactions,  including 
data,  broken  up  across  multiple  notions  of 
“cloudness”?  With  botnets  leeching  away 
data,  how  do  you  protect  it  from  leaking? 
How  do  you  structure  both  an  internal  and 
external  defense,  neither  of  which  is  set 
up  as,  “Lock  down  every  piece  of  data  and 
protect  every  system  on  the  network”? 

When  it  comes  to  business  stakehold- 
ers,  what  is  their  most  dangerous  misun¬ 
derstanding  about  security?  Our  partners 
are  in  business  to  generate  revenue.  When 
selecting  certain  strategies,  they  may  intro¬ 
duce  higher  levels  of  risk  without  realizing 
it.  They  may  make  decisions  to  do  things 
without  fully  taking  into  consideration  the 
risk  of  shifting  a  piece  of  the  business  to  an 
emerging  market  locale.  The  question  of 
whether  we  can  provide  adequate  security 
in  that  emerging  market  location  could 
be  overlooked.  It  is  our  role  as  security 
professionals  to  partner  with  and  best 
advise  them  on  how  to  manage  or  mitigate 
security  risks  in  their  business  dealings. 


28  www.csoonline.com  April  2010 


Richard 

Gunthner 

VP  of  Global  Security, 
MasterCard 


LAW  ENFORCEMENT  IS  nothing  new 
to  Richard  Gunthner.  At  MasterCard, 
he  is  the  liaison  to  a  number  of  agencies, 
including  the  FBI,  Secret  Service,  CIA  and 
Department  of  State.  When  he  was  the 
Regional  Security  Manager  for  American 
Airlines,  he  fought  terrorism,  drug  traf¬ 
ficking,  human  smuggling  and  travel  docu¬ 
mentation  fraud.  He  is  highly  regarded  by 
peers  in  the  industry  association  ASIS.  In 
every  context,  he  emphasizes  the  impor¬ 
tance  of  understanding  security’s  impact 
on  the  business. 

How  has  the  economy  impacted 
MasterCard’s  security  practices? 

In  this  economic  climate,  we  are 
all  being  asked  to  do  more  with  a 
lot  less,  think  smarter  and  reduce 
expenses.  Using  technology  and 
careful  negotiations  with  vendors, 
we  have  been  able  to  maximize  our 
productivity  while  running  a  very 
tight  and  lean  security  organization. 

We’ve  reduced  our  expenses  by  25% 
over  the  last  couple  of  years.  We  are 
doing  more  with  more  resources 
deployed,  but  for  less  money. 

How  do  you  see  the  CSO  leader¬ 
ship  role  evolving?  We  spend  a 
lot  of  time  performing  analysis 
of  intelligence  and  news  feeds  to 
attempt  to  predict  future  events.  We 
are  looking  at  trending  and  trying  to 
learn  from  lessons  of  the  past,  and 
implement  measures  to  mitigate 
risks  and  avoid  those  issues  from 
impacting  us  in  the  future. 

It’s  fairly  easy  to  respond  after 
something  bad  happens,  but  harder 
to  look  across  the  horizon  and  connect 
those  dots  and  predict  what  could  be  hap¬ 
pening  and  institute  procedures  to  miti¬ 
gate  those  threats  and  avoid  the  impact  on 
your  company,  facilities  and  employees. 

What  do  you  consider  to  be  the  most 
difficult  or  rewarding  accomplishment  of 
your  career?  I  was  the  regional  security 
manager  for  airline  operations  at  53  air¬ 


ports  in  the  Caribbean,  Latin  America  and 
Mexico.  Our  biggest  challenge  was  to  keep 
drugs  from  coming  into  the  United  States 
via  aircraft.  We  were  not  only  concerned 
with  drug-producing  countries,  but  trans¬ 
shipment  points  as  well.  There  is  so  much 
money  behind  drug  trafficking  that  there 
is  the  potential  for  many  people  to  be  cor¬ 
rupted.  Drug  traffickers  use  very  sophis¬ 
ticated  means  to  hide  their  contraband, 
such  as  having  mules  swallowing  large 
quantities  of  drugs,  or  putting  drugs  in  the 
stem  of  a  flower,  or  having  drugs  manufac¬ 
tured  into  cardboard  box  corrugation.  It 
was  a  very  difficult  challenge,  but  one  that 
we  were  very  successful  in  combating. 

If  a  CSO  could  get  budget  approval  for 
one  security  investment,  what  should  it 
be?  Invest  in  analysis  capabilities.  Have  at 
least  one  analyst— or  more— who  can  take 


intelligence  and  news  feeds  from  around 
the  world  and  analyze  them.  Let  the 
analysts  look  at  trends,  at  lessons  from  the 
past,  and  indicators  of  bad  things  to  come, 
but  most  importantly,  put  things  in  local 
perspective:  Is  this  a  regular  occurrence, 
or  something  out  of  the  usual?  Analysis 
allows  for  short-  or  long-term  mitigation 
measures  to  be  implemented. 


What  is  the  most  important  thing  that 
stakeholders  should  understand  about 
security,  but  don’t?  They  need  to  under¬ 
stand  that  there  is  a  lot  more  to  security 
than  the  guards  they  see  in  front  of  the 
door  when  they  come  to  work  every  day. 
We  do  a  lot  of  things  behind  the  scenes 
to  ensure  that  our  employees  can  be  safe 
as  they  conduct  business  around  the 
world.  We  also  try  to  ensure  that  we  do 
this  in  a  customer-friendly  way,  with  the 
least  impact  on  business  operations.  We 
understand  that  some  of  our  employees 
must  travel  to  higher-risk  countries— our 
focus  is  not  to  discourage  that  necessary 
business  travel,  but  to  ensure  that  it  can  be 
conducted  in  a  safe  manner. 

For  example,  after  the  London  bomb¬ 
ings  in  2005,  we  created  the  “I’m  OK” 
system  for  employees  to  use  to  reach  out 
to  security  after  being  impacted 
by  an  event.  This  has  saved  a  lot  of 
time,  and  it  lets  us  hear  from  staff 
members  without  having  to  reach 
out  to  each  one  of  them.  We  also 
use  the  system  for  our  high-risk- 
area  travelers,  for  them  to  regularly 
check  in. 

We  capture  all  travel  reserva¬ 
tions  as  they  are  booked  through 
our  travel  agencies  around  the 
world.  It  is  a  sophisticated  system, 
where  we  can  see  what  flights  they 
are  on  and  what  hotels  they  are 
staying  at.  Before,  if  there  was  an 
event,  we  didn’t  have  a  quick  way 
to  know  who  was  there.  We  would 
reach  out  to  travel  agencies,  and  it 
would  take  several  hours.  Now  it’s 
instantaneous.  In  this  day  and  age, 
that’s  what  is  necessary. 

What  was  the  response  to 
launching  the  system?  We  now 
have  way  more  contact  with  our 
employees  as  they  travel  around  the 
globe.  Initially,  we  were  concerned 
that  we  would  be  perceived  as  “Big 
Brother.”  The  reaction  has  actually  been  to 
the  contrary.  They  are  immensely  appre¬ 
ciative  that  we  are  looking  out  for  them 
while  they  are  away  from  their  families  on 
business.  ■ 


Bill  Brandel  is  a  freelance  writer  based  outside 
Boston.  Send  feedback  to  editor  Derek  Slater  at 
dslater@cxo.com 


April  2010  www.csoonline.com  29 


[  INDUSTRY  VIEW] 

By  Nicholas  J.  Percoco,  Trustwave 


Exfiltration:  How  Does 
Your  Data  Leave? 


Most  attention  is  on  to  keeping  hackers  out.  But  once  they’re 
inside,  how  do  they  get  data  out  of  your  organization?  Trust  wave’s 
Nicholas  Percoco  says  the  answer  is  often  surprisingly  simple. 


Cybercriminals  are  becoming 
increasingly  sophisticated  in 
their  methods  of  attack.  The 
same  is  often  true  of  their 
methods  of  data  exfiltration. 
Exfiltration,  or  exportation,  of  data  is  usu¬ 
ally  accomplished  by  copying  it  from  the 
system  via  a  network  channel,  although 
criminals  can  also  manage  it 
by  using  removable  media  or 
physical  theft. 

In  2009,  the  SpiderLabs 
team  at  Trustwave  investigated 
over  200  data  breaches  in  24 
countries.  While  the  meth¬ 
ods  used  by  cybercriminals 
to  exfiltrate  data  from  a  com¬ 
promised  environment  varied, 
the  method  of  entry  into  an 
environment  was  often  via  the 
remote  access  application  used 
by  the  target  organization. 

In  the  SpiderLabs  inves¬ 
tigations,  45  percent  of  com¬ 
promises  occurred  when 
attackers  gained  access  to 
a  system  through  a  remote- 
access  application.  These  were 
not  zero-day  exploits  or  com¬ 
plex  application  flaws,  and  the 
attacks  looked  no  different  to 
the  IT  staff  than,  for  example, 
the  CEO  connecting  from  Lon¬ 
don  while  on  a  business  trip. 

The  attackers  also  didn’t  need 
to  brute-force  accounts  to  gain 
access.  SpiderLabs  found  that  90%  of  these 
attacks  were  successful  because  of  vendor- 
default  or  easily  guessed  passwords,  like 
“temp:temp”  or  “admimnimda.” 

Once  a  foothold  was  established,  attack¬ 


most  entities  are  not  properly  monitoring 
their  systems  and  therefore  fail  to  observe 
these  indicators. 

It  was  these  types  of  tools  that,  in  one 
instance,  led  attackers  to  the  systems  of 


ers  often  launched  network  enumeration 
tools.  These  are  used  to  discover  additional 
targets  within  the  environment  and  retrieve 
system  information,  such  as  user  names, 
group  privileges,  network  shares  and 
available  services.  The  noise  generated  by 
enumeration  tools  can  indicate  a  prelude  to 
an  attack.  Unfortunately,  we’ve  found  that 


several  hotel  properties,  in  addition  to  the 
one  they  initially  hacked,  through  trusted 
private  circuits.  The  internal  connections 
were  subsequently  exploited,  resulting  in 
data  breaches  at  physically  dispersed  sites. 
Without  these  connections,  breaches  in  the 
hospitality  sector  would  likely  have  been 
contained  to  only  a  few  properties. 

Once  attackers  gained 
access  to  the  target  environ¬ 
ment,  they  harvested  data 
using  either  manual  or  auto¬ 
mated  methods.  They  used 
manual  processes  to  locate 
potentially  valuable  databases 
and  documents  and  search  the 
operating  system  using  key¬ 
words  to  further  identify  data. 

The  automated  method  was 
custom-written  malware  that 
took  advantage  of  a  flaw  in  the 
security  controls  of  the  applica¬ 
tions  used  to  process  confiden¬ 
tial  data.  Generally,  application 
security  designs  do  not  apply 
additional  controls  and  alert¬ 
ing  capabilities  to  components 
that  process  data  in  the  clear. 

If  a  target  system  receives 
and  stores  data  in  an  encrypted 
state  but  transmits  it  to  an 
upstream  host,  it’s  suscep¬ 
tible  to  a  breach  while  the 
data  is  being  processed.  This 
is  because  the  system  must 
decrypt  data  in  RAM  so  that 
the  application  can  understand  it.  Cyber¬ 
criminals  frequently  employed  RAM  pars¬ 
ers  to  exploit  this  vulnerability— 67  percent 
of  SpiderLabs’  investigations  involving 
malware  concluded  that  automated  tools 


30  www.csoonline.com  April  2010 


Methods  Used  to 
Exfiltrate  Data 


Native  FTP  Client  10% 


SQL  Injection  6% 


Malware  Capability:  SMTP  4% 


Malware  Capability:  IRC  2% 

Exposed  Private  Web  Application  Interface  1.5% 
HTTP  File  Upload  Site  1.5% 

Backdoor:  Malicious  PHP-Based  Web  Shell  1% 
Physical  Access  <  1% 

Anonymous  FTP  <1% 

Encrypted  Backdoor  <  1% 


SOURCE:  SpiderLabs.  Numbers  do  not  add  up  to  100  due  to  rounding. 


were  used  to  harvest  data  out  of  RAM  while 
the  system  was  using  the  data  in  some 
capacity. 

The  average  length  of  time  cybercrimi¬ 
nals  had  access  to  target  systems  and  data 
was  156  days.  During  those  months,  attack¬ 
ers  entered  the  environment,  set  up  their 
tools  and  harvested  data  without  a  single 
IT  or  security  department  reacting  to  their 
activities.  Some  investigations  showed 
recurring  activity  from  the  same  cyber¬ 
criminals  over  the  course  of  three  years. 
Long  times  to  detection  were  typical  and, 
seemingly  aware  of  this,  cybercriminals 
did  not  practice  stealth  in  their  activities. 

In  38  cases,  thieves  used  the  remote 
access  application  through  which  they  had 

Criminals  are  using 
available  network 
services  or  choosing 
to  install  their  own 
basic  services. 


gained  initial  entry  to  extract  data.  Other 
existing  services,  such  as  native  FTP  and 
HTTP  client  functionality,  were  also  fre¬ 
quently  leveraged  for  data  extraction.  Spe¬ 
cifically,  when  malware  was  utilized  for 
data  extraction,  FTP,  simple  mail  transfer 
protocol  (SMTP)  and  Internet  relay  chat 
(IRC)  functionality  were  regularly  observed. 
(In  reverse  analysis  of  custom  malware, 
binaries  would  disclose  the  existence  of 
FTP  functionality,  including  hard-coded 
IP  addresses  and  credentials.) 

With  off-the-shelf  malware,  such  as 
keystroke  loggers,  attackers  most  often 
used  built-in  FTP  and  e-mail  capabilities 
to  exfiltrate  data.  When  e-mail  services 
were  employed  for  extraction,  the  attack¬ 
ers  often  opted  to  install  a  malicious  SMTP 
server  directly  on  the  compromised  system 
to  ensure  the  data  was  properly  routed. 

Only  a  single  case  contained  the  use  of 
an  encrypted  channel  for  data  extraction, 
further  suggesting  that  criminals  are  rarely 
concerned  with  attracting  attention.  Due 
to  natively  available  network  services,  lack 
of  proper  egress  filtering  and  poor  system¬ 


monitoring  practices,  criminals  are  using 
available  network  services  or  choosing  to 
install  their  own  basic  services. 

It  is  clear  that  in  all  of  these  cases,  sensi¬ 
tive  data  was  sent  out  of  a  target  environ¬ 
ment.  During  this  time,  the  IT  security 
teams  did  not  detect  the  loss. 

When  looking  for  signs  of  an  attack,  IT 
security  teams  seem  to  expect  something 
complex.  However,  attacks  are  usually 
very  simple,  not  “noisy,”  and  likely  appear 
benign  in  a  routine  log  review.  It  is  not  until 
the  data  has  left  the  target  environment  and 
shown  up  in  some  other  capacity  that  the 
breach  is  detected.  Paying  close  attention 
to  the  behaviors  of  normal  activity  against 
standard  systems  is  the  key  to  identifying  a 
problem  before  it  is  too  late.  Every  anomaly 
should  be  viewed  with  a  degree  of  suspicion 
and  addressed  through  internal  investiga¬ 
tion  or,  if  necessary,  reviewed  by  an  outside 
expert.  ■ 


Nicholas  J.  Percoco  is  the  head  of  SpiderLabs 
at  Trustwave.  He  has  more  than  15  years  of 
information  security  experience. 


April  2010  www.csoonline.com  31 


[  debriefing] 


Ready  for  Anything 


Are  your  business  continuity  plans  battle-tested?  Gather  the  team,  get 
out  your  cinnamon-scented  whiteboard  markers  and  work  through  these 
useful  business  continuity  and  disaster  recovery  tabletop  scenarios. 


Scenario  A 

(Elementary  level) 

Phase  l:  An  employee  in  the  Muncie 
plant  reports  “a  funny  smell,  kinda  like 
something’s  burning”  coming  from  the 
telephony  closet. 

Phase  2:  Tiger  Woods  returns  to  golf 
and  Janet  Napolitano  is  kicked  off  Danc¬ 
ing  with  the  Stars. 

Phase  3:  Your  CEO’s  admin  is  side¬ 
lined  by  a  recurring  hangnail  problem. 
(Marketing  is  working  to  estimate  the 
impact  on  your  social  media  buzz.) 


Scenario  B 

(Intermediate  level) 

Phase  l:  An  employee  in  the  Grise 
Fiord  office  reports  “a  funny  smell, 
kinda  like  someone’s  mixing  sulfuric 
acid  and  caramel  toffee”  coming  from 
the  upstairs  men’s  room. 

Phase  2:  The  FS-ISAC,  the  US- 
CERT,  and  the  company  that  makes 
BlackBerrys  are  all  purchased  by  China. 

Phase  3:  Shoplifters  take  your 
headquarters  building.  (Marketing  is 
working  to  estimate  the  impact  on  your 
triplicate  form  inventory.) 


Scenario  C 

(Expert  level) 

Phase  l:  Your  retail  outlet  in  Mon- 
ieux,  France,  is  destroyed  by  a  freak 
meteor  shower. 

Phase  2:  North  America  is 
destroyed  by  a  freak  meteor  shower,  but 
not  the  same  one. 

Phase  3:  The  sun  goes  supernova. 
(Marketing  is  working  to  estimate 
impact  on  in-store  traffic.) 


32  www.csoonline.com  April  2010 


Illustration  by  Esteban 


Two-Factor  Authentication 


Get  the  strong  two-factor  security  you  need 
to  protect  against  today’s  sophisticated 
threats  without  the  hassle  and  cost  of 
yesterday’s  technology. 


►PhoneFactor 


Easy  to  Setup,  Manage,  and  Use 
Strong  Out-of-Band  Authentication 
Rapid  Regulatory  Compliance 
Far  Less  Expensive  Than  Tokens 


1.877.NoToken 


www.phonefactor.com 


User  enters  username  and  password 


Instantly,  user  receives  a  call,  simply  answers 
and  presses  #  (or  a  PIN )  to  complete  the  login 


30,000  Malware  Specimens  Daily 


I  10  Billion  Events  Every  Day 
2,700  Clients  in  50  Countries 


10%  of  The  Fortune  500® 


NOT  SURPRISINGLY,  THE 
MOST  POWERFUL  WEAPON 
IN  INFORMATION  SECURITY 
IS  INFORMATION. 


At  SecureWorks,  we  turn  raw  security  data  into  actionable  security  information.  With  the  massive  volume  of 
relevant  incidents  we  collect  and  analyze  every  day,  we  are  able  to  better  understand  the  threat  landscape 
across  the  globe.  We  use  that  information  to  identify  threats  sooner  and  better  protect  our  clients.  Of  our 
largest  competitors  offering  security  services,  we’re  the  only  ones  focused  exclusively  on  security.  Discover 
what  makes  us  different,  and  learn  how  our  information  can  help  keep  yours  safer. 


See  what  the  leading  analysts  say  at  secureworks.com/focused 


Secu  reworks 


Contact  SecureWorks  at  info@secureworks.com  or  call  877.905.6661. 


©2010  SecureWorks.  All  rights  reserved.  SecureWorks  and  the  SecureWorks  logo  are  registered  trademarks  of  SecureWorks.  All  other  trademarks  are  the  property  of  their  respective  owners. 


